CVE-2025-68121: Critical vulnerability in Go

[iamigui]

Expected Behaviour
We noticed that knative-serving v1.21.0 appears to be built with Go 1.24.0, and that GHSA-h355-32pf-p2xm (crypto/tls session resumption issue) — rated Critical severity — is fixed in:

Go 1.24.13
Go 1.25.7
Go 1.26.0-rc3

Could you please let us know when the next knative-serving release is expected?

[linkvt]

Hi Miguel,
thanks for the report!

I can confirm that the serving binaries are built with 1.25.6 (I only checked the activator), govulncheck also shows the finding:

❯ GOTOOLCHAIN=go1.25.6 govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2026-4337
    Unexpected session resumption in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2026-4337
  Standard library
    Found in: crypto/tls@go1.25.6
    Fixed in: crypto/tls@go1.25.7
    Example traces found:
      #1: cmd/activator/main.go:222:2: activator.main calls websocket.ManagedConnection.Shutdown, which eventually calls tls.Conn.Handshake
      #2: cmd/default-domain/main.go:205:2: default.main calls http.Server.ListenAndServe, which eventually calls tls.Conn.HandshakeContext
      #3: pkg/autoscaler/metrics/http_scrape_client.go:87:22: metrics.statFromProto calls bytes.Buffer.ReadFrom, which calls tls.Conn.Read
      #4: pkg/activator/handler/probe_handler.go:42:17: handler.ProbeHandler.ServeHTTP calls io.WriteString, which calls tls.Conn.Write
      #5: pkg/queue/request_metric.go:114:18: queue.appRequestMetricsHandler.ServeHTTP calls httputil.ReverseProxy.ServeHTTP, which eventually calls tls.Dialer.DialContext

Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.

The only thing that I noticed is that the CVE seems to be rated as Medium not Critical.

I'm not sure how, if and when a patch release is triggered, @dprotaso how should we proceed?

[dprotaso]

We noticed that knative-serving v1.21.0 appears to be built with Go 1.24.0

I don't believe that's accurate - how did you determine this?

I'm not sure how, if and when a patch release is triggered, @dprotaso how should we proceed?

Our prow CI is now using 1.25.7 as of two weeks ago - knative/infra#800

Thus if we make a noop change on the branch it should be re-released next Tuesday

[dprotaso]

I would say most users wouldn't be affected by this unless you're using system-internal-tls - even then the CA cert would need to rotate and we expect that to have a very long life (~years)