Skip to content

fix(deps): vuln unstable upgrades — 34 packages (unstable: 4 · minor: 28 · patch: 2) [staging/src/k8s.io/sample-apiserver]#137

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/unstable/go/sample-apiserver/2-1781534898
Open

fix(deps): vuln unstable upgrades — 34 packages (unstable: 4 · minor: 28 · patch: 2) [staging/src/k8s.io/sample-apiserver]#137
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/unstable/go/sample-apiserver/2-1781534898

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 36 packages upgraded (UNSTABLE changes included)

Manifests changed:

  • staging/src/k8s.io/sample-apiserver (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.72.1 v1.81.1 minor Transitive 3 CRITICAL
go.opentelemetry.io/otel/sdk v1.34.0 v1.44.0 minor Transitive 4 HIGH
k8s.io/client-go v0.0.0 v0.36.2 unstable Direct 6 MEDIUM
golang.org/x/crypto v0.36.0 v0.53.0 minor Transitive 6 MEDIUM, 14 UNKNOWN
k8s.io/apimachinery v0.0.0 v0.36.2 unstable Direct 3 MEDIUM
k8s.io/apiserver v0.0.0 v0.36.2 unstable Direct 2 MEDIUM
golang.org/x/net v0.38.0 v0.56.0 minor Transitive 2 MEDIUM, 8 UNKNOWN
k8s.io/component-base v0.0.0 v0.36.2 unstable Direct -
github.com/coreos/go-systemd/v22 v22.5.0 v22.7.0 minor Transitive -
github.com/emicklei/go-restful/v3 v3.11.0 v3.13.0 minor Transitive -
github.com/felixge/httpsnoop v1.0.4 v1.1.0 minor Transitive -
github.com/fsnotify/fsnotify v1.9.0 v1.10.1 minor Transitive -
github.com/fxamacker/cbor/v2 v2.8.0 v2.9.2 minor Transitive -
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 v2.29.0 minor Transitive -
github.com/prometheus/client_golang v1.22.0 v1.23.2 minor Transitive -
github.com/spf13/cobra v1.9.1 v1.10.2 minor Direct -
github.com/stretchr/testify v1.10.0 v1.11.1 minor Direct -
go.opentelemetry.io/auto/sdk v1.1.0 v1.2.1 minor Transitive -
go.opentelemetry.io/otel v1.35.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/metric v1.35.0 v1.44.0 minor Transitive -
go.opentelemetry.io/otel/trace v1.35.0 v1.44.0 minor Transitive -
go.opentelemetry.io/proto/otlp v1.5.0 v1.10.0 minor Transitive -
go.uber.org/zap v1.27.0 v1.28.0 minor Transitive -
golang.org/x/oauth2 v0.27.0 v0.36.0 minor Transitive -
golang.org/x/sync v0.12.0 v0.21.0 minor Transitive -
golang.org/x/sys v0.31.0 v0.46.0 minor Transitive 1 UNKNOWN
golang.org/x/term v0.30.0 v0.44.0 minor Transitive -
golang.org/x/text v0.23.0 v0.38.0 minor Transitive -
golang.org/x/time v0.9.0 v0.15.0 minor Transitive -
gopkg.in/evanphx/json-patch.v4 v4.12.0 v4.13.0 minor Transitive -
k8s.io/klog/v2 v2.130.1 v2.140.0 minor Transitive -
sigs.k8s.io/yaml v1.4.0 v1.6.0 minor Transitive -
github.com/emicklei/go-restful/v3 v3.11.0 v3.11.3 patch Transitive -
go.uber.org/zap v1.27.0 v1.27.1 patch Transitive -

Security Details

🚨 Critical & High Severity (7 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.72.1 1.79.3
google.golang.org/grpc CVE-2026-33186 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.1 -
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.1 1.79.3
go.opentelemetry.io/otel/sdk CVE-2026-24051 high OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.34.0 -
go.opentelemetry.io/otel/sdk GO-2026-4394 high OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.34.0 1.40.0
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.34.0 1.40.0
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.34.0 1.43.0
ℹ️ Other Vulnerabilities (42)
Package CVE Severity Summary Unsafe Version Fixed In
golang.org/x/crypto CVE-2025-47914 medium - v0.36.0 -
golang.org/x/crypto GO-2025-4135 medium Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent v0.36.0 0.45.0
golang.org/x/crypto CVE-2025-58181 medium - v0.36.0 -
golang.org/x/crypto GO-2025-4134 medium Unbounded memory consumption in golang.org/x/crypto/ssh v0.36.0 0.45.0
k8s.io/client-go CVE-2020-8565 medium - v0.0.0 -
k8s.io/client-go GO-2021-0064 medium Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go v0.0.0 0.20.0-alpha.2
golang.org/x/crypto GHSA-j5w8-q4qc-rx2x MODERATE golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption v0.36.0 0.45.0
golang.org/x/crypto GHSA-f6x5-jh6r-wrfv MODERATE golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read v0.36.0 0.45.0
golang.org/x/net GO-2026-4440 MODERATE Quadratic parsing complexity in golang.org/x/net/html v0.38.0 0.45.0
golang.org/x/net GHSA-w4gw-w5jq-g9jh MODERATE golang.org/x/net/html has a Quadratic Parsing Complexity issue v0.38.0 -
k8s.io/apimachinery CVE-2020-8559 MODERATE - v0.0.0 -
k8s.io/apimachinery GO-2024-2748 MODERATE Privilege Escalation in Kubernetes in k8s.io/apimachinery v0.0.0 0.16.13
k8s.io/apimachinery GHSA-33c5-9fx5-fvjm MODERATE Privilege Escalation in Kubernetes v0.0.0 0.16.13
k8s.io/apiserver GHSA-82hx-w2r5-c2wq MODERATE Kubernetes API Server DoS Via API Requests v0.0.0 0.15.10
k8s.io/apiserver CVE-2020-8552 MODERATE - v0.0.0 -
k8s.io/client-go GHSA-8cfg-vx93-jvxw MODERATE Kubernetes client-go vulnerable to Sensitive Information Leak via Log File v0.0.0 0.19.6
k8s.io/client-go GO-2021-0065 MODERATE Unauthorized credential disclosure in k8s.io/kubernetes and k8s.io/client-go v0.0.0 0.17.0
k8s.io/client-go CVE-2019-11250 MODERATE - v0.0.0 -
k8s.io/client-go GHSA-jmrx-5g74-6v2f MODERATE Kubernetes client-go library logs may disclose credentials to unauthorized users v0.0.0 0.17.0
golang.org/x/crypto GO-2026-5015 unknown Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5020 unknown Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5018 unknown Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5006 unknown Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5014 unknown Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5023 unknown Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2025-4116 unknown Potential denial of service in golang.org/x/crypto/ssh/agent v0.36.0 0.43.0
golang.org/x/crypto GO-2026-5021 unknown Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5013 unknown Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5016 unknown Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5019 unknown Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5033 unknown Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5017 unknown Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.36.0 0.52.0
golang.org/x/crypto GO-2026-5005 unknown Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.36.0 0.52.0
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.38.0 0.55.0
golang.org/x/net GO-2026-5028 unknown Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.38.0 0.55.0
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.38.0 0.53.0
golang.org/x/net GO-2026-4441 unknown Infinite parsing loop in golang.org/x/net v0.38.0 0.45.0
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.38.0 0.55.0
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.38.0 0.55.0
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.38.0 0.55.0
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.38.0 0.55.0
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.31.0 0.44.0
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
github.com/coreos/go-systemd/v22 v22.5.0 Nov 7, 2025 v22.7.0 staging/src/k8s.io/sample-apiserver/go.mod
gopkg.in/evanphx/json-patch.v4 v4.12.0 - v4.13.0 staging/src/k8s.io/sample-apiserver/go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

… patch: 2) [staging/src/k8s.io/sample-apiserver]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants