Skip to content

Update vulnerable dependencies [SECURITY]#239

Open
pulumi-renovate[bot] wants to merge 1 commit into
masterfrom
renovate/security
Open

Update vulnerable dependencies [SECURITY]#239
pulumi-renovate[bot] wants to merge 1 commit into
masterfrom
renovate/security

Conversation

@pulumi-renovate
Copy link
Copy Markdown
Contributor

@pulumi-renovate pulumi-renovate Bot commented Mar 30, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/go-git/go-billy/v5 indirect minor v5.6.2 -> v5.9.0
github.com/go-git/go-git/v5 indirect minor v5.16.5 -> v5.19.0
go.opentelemetry.io/otel/sdk indirect minor v1.42.0 -> v1.43.0

GitHub Vulnerability Alerts

CVE-2026-44740

Impact

Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption.

These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version.

Credits

Thanks to @​faran66 for finding and reporting this issue privately to the go-git project. 🙇

CVE-2026-44973

Impact

Multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.

While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations.

The osfs.ChrootOS implementation is notably affected by this vulnerability and is now deprecated in v5, removed at v6. Users are recommended to move on to osfs.BoundOS instead: osfs.New(path, WithBoundOS()).

Users requiring stronger security boundary enforcement are recommended to upgrade to v6, where the osfs implementation are backed by the traversal-resistant primitive os.Root.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version.

Credits

Thanks to @​faran66 and @​vnykmshr for finding and separately reporting this issue privately to the go-git project. 🙇

CVE-2026-33762

Impact

go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.

This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.

An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.

Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

go-git maintainers thank @​kq5y for finding and reporting this issue privately to the go-git project.

CVE-2026-34165

Impact

A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.

Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

The go-git maintainers thank @​kq5y for finding and reporting this issue privately to the go-git project.

CVE-2026-41506

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

CVE-2026-45022

Impact

go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.

Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.

This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting this to sigstore/gitsign, and to @​wlynch, @​patzielinski and @​adityasaky for coordinating the disclosure with the go-git project. 🙇 🥇

Thanks to @​wayphinder for reporting this to the go-git project. 🙇

Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

CVE-2026-33762 / GHSA-gm2x-2g9h-ccm8 / GO-2026-4909

More information

Details

Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

CVE-2026-34165 / GHSA-jhf3-xxhw-2wpp / GO-2026-4910

More information

Details

Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

go-git: Maliciously crafted idx file can cause asymmetric memory consumption

CVE-2026-34165 / GHSA-jhf3-xxhw-2wpp / GO-2026-4910

More information

Details

Impact

A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.

Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

The go-git maintainers thank @​kq5y for finding and reporting this issue privately to the go-git project.

Severity

  • CVSS Score: 5.0 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

go-git missing validation decoding Index v4 files leads to panic

CVE-2026-33762 / GHSA-gm2x-2g9h-ccm8 / GO-2026-4909

More information

Details

Impact

go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.

This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.

An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.

Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

go-git maintainers thank @​kq5y for finding and reporting this issue privately to the go-git project.

Severity

  • CVSS Score: 2.8 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

go-git: Credential leak via cross-host redirect in smart HTTP transport

GHSA-3xc5-wrhm-f963

More information

Details

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2026-39883

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

  1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
  2. Attacker places a malicious kenv binary earlier in $PATH
  3. Application initializes OpenTelemetry resource detection at startup
  4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
  5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

CVE-2026-39883 / GHSA-hfvc-g4fc-pqhx

More information

Details

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack
  1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
  2. Attacker places a malicious kenv binary earlier in $PATH
  3. Application initializes OpenTelemetry resource detection at startup
  4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
  5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-git/go-billy (github.com/go-git/go-billy/v5)

v5.9.0

Compare Source

What's Changed

Full Changelog: go-git/go-billy@v5.8.0...v5.9.0

v5.8.0

Compare Source

What's Changed

Full Changelog: go-git/go-billy@v5.7.0...v5.8.0

v5.7.0

Compare Source

What's Changed

Full Changelog: go-git/go-billy@v5.6.2...v5.7.0

go-git/go-git (github.com/go-git/go-git/v5)

v5.19.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

v5.18.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

Compare Source

What's Changed

⚠️ This release fixes a bug (https://github.com/go-git/go-git/issues/1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

v5.17.1

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

v1.43.0: /v0.65.0/v0.19.0

Compare Source

Added

  • Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
    for W3C Trace Context Level 2 Random Trace ID Flag support. (#​8012)
  • Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#​7642)
  • Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#​8051)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8038)
  • Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
    Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#​8060)
  • Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#​7855)

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#​8038)
  • Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#​8039)
  • Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#​8067)
  • Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8073)

Deprecated

  • Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#​8038)

Fixed

  • Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
    make the implementation spec-compliant. (#​8027)
  • Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#​8056)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#​8113)
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#​8096)

What's Changed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@pulumi-renovate pulumi-renovate Bot added dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update labels Mar 30, 2026
@pulumi-renovate
Copy link
Copy Markdown
Contributor Author

pulumi-renovate Bot commented Mar 30, 2026
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 13 additional dependencies were updated

Details:

Package Change
github.com/cyphar/filepath-securejoin v0.4.1 -> v0.6.1
github.com/pjbgf/sha1cd v0.3.2 -> v0.6.0
go.opentelemetry.io/otel v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/metric v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/trace v1.42.0 -> v1.43.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa -> v0.0.0-20260410095643-746e56fc9e2f
golang.org/x/mod v0.33.0 -> v0.35.0
golang.org/x/net v0.52.0 -> v0.53.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0
golang.org/x/text v0.35.0 -> v0.36.0
golang.org/x/tools v0.42.0 -> v0.44.0

@pulumi-renovate pulumi-renovate Bot force-pushed the renovate/security branch from 254cd43 to d00f065 Compare April 9, 2026 01:15
@pulumi-renovate pulumi-renovate Bot changed the title Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] Update vulnerable dependencies [SECURITY] Apr 9, 2026
@pulumi-renovate pulumi-renovate Bot changed the title Update vulnerable dependencies [SECURITY] Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] Apr 15, 2026
@pulumi-renovate pulumi-renovate Bot changed the title Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] Update vulnerable dependencies [SECURITY] Apr 15, 2026
@pulumi-renovate pulumi-renovate Bot force-pushed the renovate/security branch from 7790e75 to ae06757 Compare May 12, 2026 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pulumi-renovate-approve pulumi-renovate-approve[bot] pulumi-renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants