deps(deps): update ansible/ansible-lint action to v25.2.1 #99

renovate · 2025-04-02T15:35:23Z

This PR contains the following updates:

Package	Type	Update	Change
ansible/ansible-lint	action	minor	`v25.1.3` -> `v25.2.1`

Release Notes

ansible/ansible-lint (ansible/ansible-lint)

`v25.2.1`

Compare Source

Bugfixes

Finish support for data tagging from ansible 2.19 (#4571) @ssbarnea

`v25.2.0`

Compare Source

Enhancements

Refactor line number identification (#4564) @ssbarnea
Require ansible-core 2.16.11 (#4569) @ssbarnea

Bugfixes

Improve testing and code coverage (#4561) @ssbarnea
Refactor types for future ansible-core compatibility (#4557) @ssbarnea
Isolate ansible internal types to submodule (#4556) @ssbarnea
Add line method to Task class (#4554) @ssbarnea
Move task_to_str to Task class (#4553) @ssbarnea
Add 2025 to WindowsPlatformModel (#4531) @rsdoherty

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2025-04-02T15:36:20Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github-actions · 2025-04-02T15:36:22Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:22Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:23Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:23Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:24Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:25Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:25Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:25Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:29Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:30Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github-actions · 2025-04-02T15:36:30Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:32Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:32Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:32Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:32Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:33Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:33Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github-actions · 2025-04-02T15:36:35Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:35Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:35Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:38Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-02T15:36:39Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.033%`
EPSS Percentile	`6th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.073%`
EPSS Percentile	`19th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`28th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-02T15:36:41Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:20Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:21Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:21Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:23Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:24Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:24Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:26Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:26Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:26Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:26Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:29Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:29Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:29Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:29Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:29Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:31Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:32Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:34Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:34Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:36Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:43Z

Outdated

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:46Z

Outdated

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2025-04-03T16:12:49Z

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

📦 Image Reference moby/buildkit:buildx-stable-1

digest	`sha256:3c2d380153442abef80c4a7bd144af682eb264b748e1bea93b7d3f76ca7e0d62`
vulnerabilities
platform	linux/amd64
size	104 MB
packages	244

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.22.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.038%`
EPSS Percentile	`8th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.083%`
EPSS Percentile	`22nd percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`
EPSS Score	`0.203%`
EPSS Percentile	`40th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.123%`
EPSS Percentile	`29th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/[email protected]

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.090%`
EPSS Percentile	`23rd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/[email protected]#v5

Asymmetric Resource Consumption (Amplification)

Affected range	`>=5.0.0-rc.1 <5.2.2`
Fixed version	`5.2.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.055%`
EPSS Percentile	`14th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

github-actions · 2025-04-03T16:12:52Z

Recommended fixes for image `moby/buildkit:buildx-stable-1`

Base image is alpine:3

Name	3.21.3
Digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
Vulnerabilities
Pushed	1 month ago
Size	3.6 MB
Packages	19
OS	3.21.3

The base image is also available under the supported tag(s): 3.21, 3.21.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

renovate bot requested a review from lotyp as a code owner April 2, 2025 15:35

renovate bot enabled auto-merge (squash) April 2, 2025 15:35

github-actions bot added the type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci) label Apr 2, 2025

deps(deps): update ansible/ansible-lint action to v25.2.1

6a14c49

renovate bot changed the title ~~deps(deps): update ansible/ansible-lint action to v25.2.0~~ deps(deps): update ansible/ansible-lint action to v25.2.1 Apr 3, 2025

renovate bot force-pushed the renovate/ansible-ansible-lint-25.x branch from 4e908d6 to 6a14c49 Compare April 3, 2025 16:11

deps(deps): update ansible/ansible-lint action to v25.2.1 #99

Are you sure you want to change the base?

deps(deps): update ansible/ansible-lint action to v25.2.1 #99

Conversation

renovate bot commented Apr 2, 2025 • edited Loading

Release Notes

v25.2.1

Bugfixes

v25.2.0

Enhancements

Bugfixes

Configuration

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

Recommended fixes for image moby/buildkit:buildx-stable-1

Refresh base image

Change base image

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

Recommended fixes for image moby/buildkit:buildx-stable-1

Refresh base image

Change base image

github-actions bot commented Apr 2, 2025 • edited Loading

Recommended fixes for image moby/buildkit:buildx-stable-1

Refresh base image

Change base image

github-actions bot commented Apr 2, 2025 • edited Loading

Recommended fixes for image moby/buildkit:buildx-stable-1

Refresh base image

Change base image

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

Recommended fixes for image moby/buildkit:buildx-stable-1

Refresh base image

Change base image

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

Summary

Details

Impact

github-actions bot commented Apr 2, 2025 • edited Loading

Recommended fixes for image moby/buildkit:buildx-stable-1

Refresh base image

renovate bot commented Apr 2, 2025 •

edited

Loading

`v25.2.1`

`v25.2.0`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 2, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 3, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 3, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 3, 2025 •

edited

Loading

🔍 Vulnerabilities of `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 3, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 3, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`

github-actions bot commented Apr 3, 2025 •

edited

Loading

Recommended fixes for image `moby/buildkit:buildx-stable-1`