Skip to content

chore(deps): update security updates [security]#137

Merged
NumaryBot merged 1 commit into
mainfrom
renovate/security
Apr 9, 2026
Merged

chore(deps): update security updates [security]#137
NumaryBot merged 1 commit into
mainfrom
renovate/security

Conversation

@NumaryBot
Copy link
Copy Markdown
Contributor

@NumaryBot NumaryBot commented Apr 4, 2026
edited by coderabbitai Bot
Loading

This PR contains the following updates:

Package Type Update Change
github.com/go-jose/go-jose/v4 require patch v4.1.3 -> v4.1.4
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp indirect minor v1.37.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp indirect minor v1.37.0 -> v1.43.0
go.opentelemetry.io/otel/sdk indirect minor v1.40.0 -> v1.43.0

GitHub Vulnerability Alerts

CVE-2026-34986

Impact

Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.

This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.

This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.

Panics can lead to denial of service.

Fixed In

4.1.4 and v3.0.5

Workarounds

If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.

If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).

Thanks

Thanks to Datadog's Security team for finding this issue.

Go JOSE Panics in JWE decryption

CVE-2026-34986 / GHSA-78h2-9frx-2jm8

More information

Details

Impact

Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.

This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.

This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.

Panics can lead to denial of service.

Fixed In

4.1.4 and v3.0.5

Workarounds

If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.

If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).

Thanks

Thanks to Datadog's Security team for finding this issue.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2026-39882

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

  • exporters/otlp/otlptrace/otlptracehttp/client.go:199
  • exporters/otlp/otlptrace/otlptracehttp/client.go:230
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
  • exporters/otlp/otlplog/otlploghttp/client.go:190
  • exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  • go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

  • exporters/otlp/otlptrace/otlptracehttp/client.go:199
  • exporters/otlp/otlptrace/otlptracehttp/client.go:230
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
  • exporters/otlp/otlplog/otlploghttp/client.go:190
  • exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  • go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2026-39883

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

  1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
  2. Attacker places a malicious kenv binary earlier in $PATH
  3. Application initializes OpenTelemetry resource detection at startup
  4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
  5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

CVE-2026-39883 / GHSA-hfvc-g4fc-pqhx

More information

Details

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack
  1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
  2. Attacker places a malicious kenv binary earlier in $PATH
  3. Application initializes OpenTelemetry resource detection at startup
  4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
  5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v4)

v4.1.4

Compare Source

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp)

v1.43.0: /v0.65.0/v0.19.0

Compare Source

Added
  • Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
    for W3C Trace Context Level 2 Random Trace ID Flag support. (#​8012)
  • Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#​7642)
  • Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#​8051)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8038)
  • Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
    Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#​8060)
  • Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#​7855)
Changed
  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#​8038)
  • Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#​8039)
  • Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#​8067)
  • Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8073)
Deprecated
  • Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#​8038)
Fixed
  • Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
    make the implementation spec-compliant. (#​8027)
  • Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#​8056)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#​8113)
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#​8096)
What's Changed
New Contributors

Full Changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0

v1.42.0: /v0.64.0/v0.18.0/v0.0.16

Compare Source

Added
  • Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
    The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
  • Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)
Changed
  • TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)
Fixed
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
  • Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
  • Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)
Removed
  • Drop support for [Go 1.24]. (#​7984)
What's Changed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Summary by CodeRabbit

  • Chores
    • Upgraded Go runtime to version 1.25.0.
    • Updated multiple core dependencies to their latest versions for improved stability and security enhancements.

@NumaryBot NumaryBot enabled auto-merge (squash) April 4, 2026 02:59
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 4, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Updated the module Go version and advanced multiple dependency versions in go.mod (including OpenTelemetry, gRPC/Google packages, golang.org/x modules, and github.com/go-jose/go-jose/v4). No Go source exported/public declarations were changed.

Changes

Cohort / File(s) Summary
Module manifest
go.mod		 Bumped module Go version to go 1.25.0 and updated numerous direct and indirect dependencies: github.com/go-jose/go-jose/v4 v4.1.3→v4.1.4, OpenTelemetry modules (e.g., go.opentelemetry.io/otel/trace v1.40.0→v1.43.0 and related OTLP/proto), golang.org/x/oauth2/golang.org/x/text to v0.35.0, and several google.golang.org/* and golang.org/x/* packages; also bumped github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1→v2.28.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A hop, a nudge, dependencies climb,

go.mod sings in measured time.
jose and otel get shiny and new,
bumps applied with a careful chew.
Hop—the build hums a brighter tune. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The PR title 'chore(deps): update security updates [security]' is vague and redundant; it doesn't clearly specify which dependencies are being updated or their new versions, only mentioning a generic security focus without meaningful details about the actual changes. Revise the title to be more specific and informative, such as 'chore(deps): update go-jose to v4.1.4 and other dependencies for security' or similar to reflect the primary security update while maintaining clarity.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/security

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 13: The repo still pulls the vulnerable v2 package
(gopkg.in/go-jose/go-jose.v2 v2.6.3) even though you added
github.com/go-jose/go-jose/v4 v4.1.4; migrate all OIDC-related imports and
usages from the v2 module to the v4 module (replace imports like
"gopkg.in/go-jose/go-jose.v2" with "github.com/go-jose/go-jose/v4" and update
any API differences in the OIDC verification/signature code), remove the v2
requirement from go.mod, then run go mod tidy to prune the old dependency and
verify tests/builds pass; focus changes around the OIDC packages and any files
that reference JWS/JWT types or functions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 43664be8-9e81-474d-9c5e-68f3d4daa936

📥 Commits

Reviewing files that changed from the base of the PR and between 713060b and 4312da8.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
github.com/formancehq/go-libs/v3 v3.6.1
github.com/go-chi/chi/v5 v5.2.4
github.com/go-jose/go-jose/v4 v4.1.3
github.com/go-jose/go-jose/v4 v4.1.4
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Direct go-jose requirements in go.mod =="
rg -n 'go-jose' go.mod

echo
echo "== go-jose imports across repository =="
rg -n --type=go 'go-jose|gopkg\.in/(square/)?go-jose'

echo
echo "== Potential JWE decrypt/parse entry points =="
rg -n --type=go 'ParseEncrypted|ParseEncryptedCompact|ParseEncryptedJSON|\.Decrypt\('

Repository: formancehq/auth

Length of output: 650

🌐 Web query:

CVE-2026-34986 GHSA-78h2-9frx-2jm8 go-jose panic DoS JWE

💡 Result:

CVE-2026-34986 (GHSA-78h2-9frx-2jm8) is a Denial of Service (DoS) vulnerability in the go-jose library affecting JWE decryption. When decrypting a JWE object where the 'alg' header specifies a key wrapping algorithm (ending in 'KW'), the library panics, causing a crash. This allows remote attackers to trigger a panic via a specially crafted JWE, leading to DoS. Affected: go-jose versions prior to recent patches (likely v3.0.5, v4.1.4 based on release dates around March-April 2026). Sources confirm the issue via advisory titles and snippets from GitHub Advisory Database, dbugs.ptsecurity, and go-jose repo security overview. Published around April 1-3, 2026. Upgrade to patched versions to mitigate.

Citations:

🏁 Script executed:

# Check if v2 versions might be affected or if there's a patched v2
rg -i 'v2.6|v2.6.3' go.mod

# Look for actual JWE/decrypt usage in the OIDC code
rg -n --type=go 'Decrypt|Encrypted|ParseEncrypted' pkg/oidc/

Repository: formancehq/auth

Length of output: 141

🌐 Web query:

go-jose v2.6.3 CVE-2026-34986 vulnerable patched

💡 Result:

go-jose v2.6.3 is vulnerable to CVE-2026-34986. This CVE, published around April 1, 2026, affects the go-jose library where decrypting certain JWE objects causes a panic if the 'alg' field indicates a key wrapping algorithm (ending in 'KW'). No patch information for v2.6.3 specifically is found; v2 is obsolete per official docs (versions 1 and 2 are deprecated, migrate to v4). The library maintainers recommend using v4 (current stable as of 2026), which likely includes fixes given recent releases up to v4.1.3 and v3.0.5. v2.6.3 was released March 2024, predating the CVE.

Citations:

🏁 Script executed:

# Search for wrapper functions that might do JWE operations
rg -n --type=go 'jose|jwe|decrypt' pkg/oidc/ -i

# Check how the v4 import is actually used in cmd/serve.go
rg -n -A 5 'github.com/go-jose/go-jose/v4' cmd/serve.go

Repository: formancehq/auth

Length of output: 2010

v4.1.4 bump is correct but does not remediate v2 vulnerability; codebase uses v2 for JWS only, not JWE decryption.

Line 13 correctly updates the v4 import to the patched v4.1.4. However, CVE-2026-34986 affects JWE decryption specifically, and the codebase's OIDC modules use gopkg.in/go-jose/go-jose.v2 v2.6.3 exclusively for JWS (signature verification) operations, not JWE. The vulnerable v2.6.3 remains in the dependency graph with no available patches. Since v2 is deprecated per upstream guidance, consider migrating all OIDC imports to v4 to fully remediate the vulnerability and eliminate the obsolete dependency.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 13, The repo still pulls the vulnerable v2 package
(gopkg.in/go-jose/go-jose.v2 v2.6.3) even though you added
github.com/go-jose/go-jose/v4 v4.1.4; migrate all OIDC-related imports and
usages from the v2 module to the v4 module (replace imports like
"gopkg.in/go-jose/go-jose.v2" with "github.com/go-jose/go-jose/v4" and update
any API differences in the OIDC verification/signature code), remove the v2
requirement from go.mod, then run go mod tidy to prune the old dependency and
verify tests/builds pass; focus changes around the OIDC packages and any files
that reference JWS/JWT types or functions.

@NumaryBot NumaryBot force-pushed the renovate/security branch from 4312da8 to 4940f41 Compare April 9, 2026 03:02
@NumaryBot NumaryBot changed the title chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] chore(deps): update security updates [security] Apr 9, 2026
@NumaryBot
Copy link
Copy Markdown
Contributor Author

NumaryBot commented Apr 9, 2026

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 18 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.4 -> 1.25.0
go.opentelemetry.io/otel/trace v1.40.0 -> v1.43.0
golang.org/x/oauth2 v0.34.0 -> v0.35.0
golang.org/x/text v0.32.0 -> v0.35.0
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 -> v2.28.0
go.opentelemetry.io/otel v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 -> v1.43.0
go.opentelemetry.io/otel/metric v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric v1.40.0 -> v1.43.0
go.opentelemetry.io/proto/otlp v1.7.0 -> v1.10.0
golang.org/x/crypto v0.46.0 -> v0.49.0
golang.org/x/net v0.48.0 -> v0.52.0
golang.org/x/sync v0.19.0 -> v0.20.0
golang.org/x/sys v0.40.0 -> v0.42.0
golang.org/x/tools v0.39.0 -> v0.42.0
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc v1.79.3 -> v1.80.0
google.golang.org/protobuf v1.36.10 -> v1.36.11

coderabbitai[bot]
coderabbitai Bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
go.mod (1)

28-28: ⚠️ Potential issue | 🟠 Major

Vulnerable v2 dependency remains in codebase.

The gopkg.in/go-jose/go-jose.v2 v2.6.3 dependency is still present and vulnerable to CVE-2026-34986. As noted in the previous review, v2 is deprecated with no available patches. The codebase should migrate all OIDC-related usage from the v2 module to the v4 module to fully remediate this vulnerability.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 28, The go.mod currently pins the deprecated vulnerable
module "gopkg.in/go-jose/go-jose.v2 v2.6.3"; replace that dependency with the
supported v4 module, update all imports that reference
gopkg.in/go-jose/go-jose.v2 to the v4 module path, and adjust any OIDC-related
usages (types/functions in files that import jose, e.g., where you use
jose.NewEncrypter / jose.Signature / jose.JSONWebKey or similar APIs) to the v4
API changes; after updating import paths and code to match v4, run go mod tidy
and rebuild/run tests to ensure compilation and behavior are correct.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@go.mod`:
- Line 28: The go.mod currently pins the deprecated vulnerable module
"gopkg.in/go-jose/go-jose.v2 v2.6.3"; replace that dependency with the supported
v4 module, update all imports that reference gopkg.in/go-jose/go-jose.v2 to the
v4 module path, and adjust any OIDC-related usages (types/functions in files
that import jose, e.g., where you use jose.NewEncrypter / jose.Signature /
jose.JSONWebKey or similar APIs) to the v4 API changes; after updating import
paths and code to match v4, run go mod tidy and rebuild/run tests to ensure
compilation and behavior are correct.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b3859798-d4c7-4e8c-b7d3-405e6f024723

📥 Commits

Reviewing files that changed from the base of the PR and between 4312da8 and 4940f41.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

@NumaryBot NumaryBot merged commit eb9ce86 into main Apr 9, 2026
6 checks passed
@NumaryBot NumaryBot deleted the renovate/security branch April 9, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@flemzord flemzord flemzord approved these changes

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NumaryBot @flemzord