Skip to content

fix: bump extras/dagger grpc-go to v1.79.3#3274

Open
chainloop-development[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-ghsa-p77j-4mvh-x3m3-20260708-141829
Open

fix: bump extras/dagger grpc-go to v1.79.3#3274
chainloop-development[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-ghsa-p77j-4mvh-x3m3-20260708-141829

Conversation

@chainloop-development

@chainloop-development chainloop-development Bot commented Jul 8, 2026

Copy link
Copy Markdown

Summary

Bumped the nested extras/dagger Go module off the vulnerable indirect google.golang.org/grpc v1.76.0 to v1.79.3, the first patched release identified by the assessment. The change is limited to that module's dependency manifests and the transitive versions Go resolved alongside the grpc-go upgrade.

Vulnerability Fixed

GHSA-p77j-4mvh-x3m3, severity CRITICAL: gRPC-Go has an authorization bypass via missing leading slash in :path.

Changes Made

  • Updated extras/dagger/go.mod to require google.golang.org/grpc v1.79.3 instead of the vulnerable v1.76.0.
  • Refreshed extras/dagger/go.sum and the transitive dependency versions that Go module resolution advanced with the grpc-go bump.
  • Left the root module unchanged because it already depends on google.golang.org/grpc v1.81.1; the remediation is scoped to the affected nested module only.

Verification

Ran syft dir:. -o cyclonedx-json > /tmp/extras-dagger-sbom.json && grype sbom:/tmp/extras-dagger-sbom.json --only-fixed -o json from repo/extras/dagger and checked the results for GHSA-p77j-4mvh-x3m3. Outcome: resolved — the advisory is absent from the post-change grype results for the scanned module.

Risk Assessment

View the risk assessment in Chainloop

Review in cubic

@kusari-inspector

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code analysis returned zero findings across all scanned files, which is positive. However, the dependency analysis identifies multiple unresolved, high-severity vulnerabilities introduced in the newly updated dependency versions, which we strongly recommend addressing before merging. While the PR successfully remediates the gRPC authorization bypass (CVE-2026-33186, CVSS High C:H/I:H), the updated dependencies carry significant residual risk: (1) golang.org/x/net v0.48.0 carries 7 active vulnerabilities including XSS, remote DoS via HTTP/2, and a privilege escalation via Punycode bypass (CVE-2026-39821, CVSS High C:H/I:H) — fix by upgrading to v0.56.0; (2) go.opentelemetry.io/otel/sdk v1.39.0 contains two PATH hijacking vulnerabilities enabling arbitrary code execution on FreeBSD/Solaris and Darwin platforms (full C:H/I:H/A:H impact) — fix by upgrading to v1.44.0; (3) go.opentelemetry.io/otel v1.39.0 has a remote DoS amplification vulnerability via baggage header parsing (~77x CPU/memory amplification, CVSS AV:N/AC:L/PR:N/UI:N/A:H) — fix by upgrading to v1.44.0; (4) golang.org/x/sys v0.39.0 contains an integer overflow in Windows string handling — fix by upgrading to v0.46.0. The net security posture does not improve sufficiently when trading one resolved critical issue for four dependency groups with unpatched high-severity vulnerabilities. All four have known fixed versions readily available, making remediation straightforward before merge.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • golang.org/x/net v0.48.0 still contains 7 active vulnerabilities in the new version:
  • CVE-2026-42502 (XSS via incorrect HTML element handling in foreign content)
  • CVE-2026-25680 (DoS via excessive CPU on HTML parse)
  • CVE-2026-25681 (XSS via incorrect character references in DOCTYPE nodes)
  • CVE-2026-27136 (XSS via duplicate attributes)
  • CVE-2026-42506 (XSS via namespaced elements in foreign content)
  • CVE-2026-39821 (Privilege escalation via Punycode label bypass in idna, CVSS High C:H/I:H)
  • CVE-2026-33814 (Infinite loop / DoS via HTTP/2 SETTINGS_MAX_FRAME_SIZE=0)
    Dependency path: golang.org/x/net (direct)
    Fix: go get golang.org/x/net@v0.56.0
  • go.opentelemetry.io/otel/sdk v1.39.0 still contains 2 active vulnerabilities in the new version:
  • CVE-2026-39883 (GHSA-hfvc-g4fc-pqhx): BSD kenv command uses bare name enabling PATH hijacking on FreeBSD/Solaris platforms, leading to arbitrary code execution.
  • CVE-2026-24051 (GHSA-9h8m-3fm2-qjrq): PATH hijacking via ioreg on Darwin enabling arbitrary code execution.
    Both are local privilege escalation but can result in full C:H/I:H/A:H impact.
    Dependency path: go.opentelemetry.io/otel/sdk (direct)
    Fix: go get go.opentelemetry.io/otel/sdk@v1.44.0
  • go.opentelemetry.io/otel v1.39.0 still contains an active advisory in the new version:
  • CVE-2026-29181 (GHSA-mh2q-q3fh-2475): Multi-value baggage header extraction causes excessive CPU/memory allocations (remote DoS amplification, CVSS AV:N/AC:L/PR:N/UI:N/A:H). Attackers can send many baggage header lines to amplify allocations by ~77x.
    Dependency path: go.opentelemetry.io/otel (direct)
    Fix: go get go.opentelemetry.io/otel@v1.44.0
  • golang.org/x/sys v0.39.0 still contains an active advisory in the new version:
  • CVE-2026-39824: Integer overflow in NewNTUnicodeString (golang.org/x/sys/windows). Affects Windows platform; returns truncated string instead of error on overflow.
    Dependency path: golang.org/x/sys (direct)
    Fix: go get golang.org/x/sys@v0.46.0

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 57332bb, performed at: 2026-07-08T12:19:11Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants