Skip to content

Upgrade Go toolchain to 1.25.5 (CVE-2025-61729) #3702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amirbenun merged 3 commits into from
Dec 8, 2025
Merged

Upgrade Go toolchain to 1.25.5 (CVE-2025-61729) #3702

amirbenun merged 3 commits into from
Dec 8, 2025

Conversation

@amirbenun
Copy link
Contributor

@amirbenun amirbenun commented Dec 7, 2025

Summary

Upgrades the Go toolchain from version 1.24.10 to 1.25.5 to address CVE-2025-61729.

Vulnerability Details

  • CVE ID: CVE-2025-61729
  • Severity: HIGH (CVSS 7.5)
  • Component: crypto/x509 (Go standard library)
  • Issue: Quadratic runtime DoS in HostnameError.Error() method
  • Fixed Version: Go 1.25.5 (and 1.24.11)

Impact on Cloudbeat

Cloudbeat is not affected by this vulnerability because:

  • The vulnerable code path only triggers during TLS hostname verification failures
  • Cloudbeat exclusively connects to legitimate cloud provider APIs (AWS, Azure, GCP, Kubernetes) with valid certificates
  • An attacker would need to MITM connections and provide malicious certificates, which is prevented in Cloudbeat's operational environment

Nevertheless, this upgrade is recommended as part of standard security maintenance.

Changes

  • Updated go.mod: go 1.24.10go 1.25.5
  • No code changes required

Test Plan

  • Build succeeded with Go 1.25.5
  • CI tests pass
  • Integration tests pass

References

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings December 7, 2025 13:25
@amirbenun amirbenun requested a review from a team as a code owner December 7, 2025 13:25
@mergify
Copy link

mergify bot commented Dec 7, 2025

This pull request does not have a backport label. Could you fix it @amirbenun? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

Copilot AI reviewed Dec 7, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to upgrade the Go toolchain from version 1.24.10 to 1.25.5 to address a reported security vulnerability (CVE-2025-61729) in the crypto/x509 package. However, the specified version appears to be invalid.

Key Changes:

  • Updates the Go version directive in go.mod from 1.24.10 to 1.25.5

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@amirbenun @claude
Upgrade Go toolchain from 1.24.10 to 1.25.5 to address CVE-2025-61729
f28b0dd 
This commit upgrades the Go toolchain to version 1.25.5 to address CVE-2025-61729, a HIGH severity vulnerability in crypto/x509's HostnameError.Error() method that could lead to excessive resource consumption.

While Cloudbeat is not directly affected by this vulnerability (it only impacts TLS hostname verification failures), upgrading to the patched Go version is part of standard security maintenance practices.

Fixes CVE-2025-61729

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@amirbenun amirbenun enabled auto-merge (squash) December 8, 2025 12:55
@amirbenun amirbenun merged commit e49ead1 into elastic:main Dec 8, 2025
10 checks passed
@amirbenun amirbenun deleted the go-1.25.5-main branch December 8, 2025 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@uri-weisman uri-weisman uri-weisman approved these changes

Assignees

@amirbenun amirbenun

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amirbenun @uri-weisman