[Questions] Go library vulnerabilities show up on a scan

[manoj-md]

Community Support Policy

• I have read RabbitMQ's Community Support Policy
• I run RabbitMQ 4.x, the only series currently covered by community support
• I promise to provide all relevant information (versions, logs from all nodes, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

4.2.2

Erlang version used

28.3.x

Operating system (distribution) used

ubuntu-24

How is RabbitMQ deployed?

Community Docker image

rabbitmq-diagnostics status output

See https://www.rabbitmq.com/docs/cli to learn how to use rabbitmq-diagnostics

Details

# PASTE OUTPUT HERE, BETWEEN BACKTICKS

Logs from node 1 (with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

Details

# PASTE LOG HERE, BETWEEN BACKTICKS

Logs from node 2 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

Details

# PASTE LOG HERE, BETWEEN BACKTICKS

Logs from node 3 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

Details

# PASTE LOG HERE, BETWEEN BACKTICKS

rabbitmq.conf

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find rabbitmq.conf file location

Details

# PASTE rabbitmq.conf HERE, BETWEEN BACKTICKS

Steps to deploy RabbitMQ cluster

Through dockerfile .

Steps to reproduce the behavior in question

.

advanced.config

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find advanced.config file location

Details

# PASTE advanced.config HERE, BETWEEN BACKTICKS

Application code

Details

# PASTE CODE HERE, BETWEEN BACKTICKS

Kubernetes deployment file

Details

# Relevant parts of K8S deployment that demonstrate how RabbitMQ is deployed
# PASTE YAML HERE, BETWEEN BACKTICKS

What problem are you trying to solve?

Hi RabbitMQ Team,

We are currently using the RabbitMQ management image 4.2.2 and have observed a few HIGH severity CVEs reported by our vulnerability scanners as listed below . Could you please let us know if fixes for these vulnerabilities are expected to be included in upcoming RabbitMQ patch releases or base image updates .

Vulnerabilities observed in RabbitMQ image:

Severity Package / Area Installed Fixed In CVE

---

CRITICAL Go stdlib (net, http) Go 1.22.2 >= 1.22.4+ CVE-2024-24790
CRITICAL Go stdlib (net/http) Go 1.22.2 >= 1.23.8 CVE-2025-22871

HIGH Go stdlib (multiple) Go 1.22.2 >= 1.22.5 /
1.22.7 /
1.23.x /
1.24.x Multiple CVEs

[michaelklishin]

@manoj-md those are Go library vulnerabilities, RabbitMQ server does not use Go.

I have no idea why they show up on a scan, why do you expect our team to fix them, or what image you are talking about to begin with.

Our team helps maintain the community OCI and it has a Go-based tool called gosu but it is only used in Dockerfile templating as far as I can tell. I have asked its primary maintainers for clues docker-library/rabbitmq#794 but it sounds like you'd have to take a closer look at your scan (it's not reasonable to ask open source maintainers to read your scanner output for you and weed out the false positives).

Please take it from here.

Update

Community OCI maintainers explain that gosu is included into the image and gosu is not rebuilt to address vulnerabilities that do not affect it.

gosu Does not Use Any Networking Libraries and Provides an "Actual Use-based" Scanner

gosu includes a script that provides a more accurate picture based on the analysis of the functions that are actually used in the tool. The tool does not use HTTP or communicate over the network in general, for example, it is entirely local tool that, ironically, exists for improving security of the RabbitMQ node process in the image.

So nothing in the RabbitMQ community OCI uses those affected libraries. The image is open source, so anyone can verify this claim with a reasonable amount of effort.

[michaelklishin]

Apparently there's prior art to these reports that make no sense to the RabbitMQ core team docker-library/rabbitmq#733.