Is CVE-2025-22871 applicable?

[FooBarWidget]

Our security scanner is complaining that the kubectl Lambda layer is susceptible to CVE-2025-22871. Is this CVE applicable here?

[paulhcsun]

Hi @FooBarWidget, the issue for kubectl-v31 is caused by a Go dependency in helm and kubectl:

• CVE-2025-22871 - go/stdlib helm/helm#30792
• CVE-2025-22871 kubernetes/kubernetes#131326
  We've bumped the versions for helm and kubectl for kubectl-v31 in kubectl-v31v2.1.0 which should have mitigations for this issue. Please try upgrading and see if you still see the same CVE being caught by your scanner.

[tjanowski]

We have the same issue.
We have installed the 2.1.0 version of the layer and the vulnerability CVE-2025-22871 is still detected by AWS inspector, along with CVE-2025-22868 and 4 medium ones.
They all come from kubectl-v31v2.1.0 layer.

[paulhcsun]

We also just released kubectl-v33. Are you able to upgrade to use that or kubectl-v32?

[GavinZZ]

Go 1.24.2 and 1.23.8 have these mitigations. This package does not have direct dependency with go modules, however, the packages we depend on helm and kubectl is currently using the impacted go module and have not made any release to upgrade go module.

However as dims mentioned, it's not clear that this has real impact, and if it did it would depend on having a very particular downstream usage with a particular proxy behavior in front, which we don't have any public evidence of based on golang/go#71988 (comment)

For summary, our option here is limited until helm and kubectl make a release to use the non-impacted version of go module.