Go 1.24.6 in lifecycle contains 10 HIGH severity CVEs - upgrade to 1.25.2+ neededΒ #1548
Description
Summary
The CNB lifecycle is currently built with Go 1.24.6, which contains 10 HIGH severity CVEs. The lifecycle launcher binary (compiled with this vulnerable Go version) is included in all final container images, causing production deployments to be blocked when vulnerability scanning is enforced.
Affected Version
- lifecycle: v0.20.14 - v0.20.16 (current latest)
- Go version: 1.24.6
- Component:
/cnb/lifecycle/launcherbinary in runtime images
CVEs in Go 1.24.6
All 10 CVEs are in the Go standard library (stdlib):
- CVE-2025-47912 - net/url: insufficient validation of bracketed IPv6 hostnames
- CVE-2025-58183 - archive/tar: unbounded allocation when parsing GNU sparse map
- CVE-2025-58185 - encoding/asn1: memory exhaustion in DER payload parsing
- CVE-2025-58186 - net/http: lack of limit when parsing cookies can cause memory exhaustion
- CVE-2025-58187 - crypto/x509: quadratic complexity when checking name constraints (requires Go 1.24.9+)
- CVE-2025-58188 - crypto/x509: panic when validating certificates with DSA public keys
- CVE-2025-58189 - crypto/tls: ALPN negotiation errors can contain arbitrary text
- CVE-2025-61723 - encoding/pem: quadratic complexity when parsing some invalid inputs
- CVE-2025-61724 - net/textproto: excessive CPU consumption in Reader.ReadResponse
- CVE-2025-61725 - net/mail: excessive CPU consumption in ParseAddress
Fix available in: Go 1.24.8 / 1.25.2 (or 1.24.9 / 1.25.3 for CVE-2025-58187)
Impact
- All Paketo builders affected - every builder using lifecycle v0.20.14-v0.20.16 includes the vulnerable launcher binary
- Runtime vulnerability - the launcher binary is in the final container image and executes at container startup
- Production deployments blocked - vulnerability scanners flag these CVEs, preventing deployments with
breakBuildOnVulnerabilities: true - No workaround available - users cannot easily patch or replace the lifecycle version in existing builders