Update Go toolchain and dependencies to address CRITICAL and HIGH CVEs

[marc-barry]

Summary

The v25.4.0 Docker image contains Go dependencies with known published CVEs. These are detected by Trivy when the Hydra binary is included in downstream container images.

CRITICAL

Library	CVE	Installed	Fixed
Go stdlib	CVE-2025-68121	1.25.2	1.25.7+

Unexpected session resumption in crypto/tls.

HIGH

Library	CVE	Installed	Fixed
go.opentelemetry.io/otel/sdk	CVE-2026-24051	v1.38.0	1.40.0
Go stdlib	CVE-2025-61726	1.25.2	1.25.6
Go stdlib	CVE-2025-61728	1.25.2	1.25.6
Go stdlib	CVE-2025-61729	1.25.2	1.25.5

MEDIUM

Library	CVE	Installed	Fixed
golang.org/x/crypto	CVE-2025-47914	v0.42.0	0.45.0
golang.org/x/crypto	CVE-2025-58181	v0.42.0	0.45.0

Requested change

A patch release with:

1. Go toolchain bump to at least 1.25.8 (fixes all stdlib CVEs)
2. go get go.opentelemetry.io/otel/sdk@v1.40.0
3. go get golang.org/x/crypto@v0.45.0

[jajeffries]

Note that these changes are already in master, but are currently unreleased

[marc-barry]

Thanks for the v26.2.0 release — it resolved the original CVEs reported here.

However, v26.2.0 appears to have been built with Go 1.26.0 which has since received security patches in 1.26.1. The Hydra binary still carries these stdlib vulnerabilities:

CVE	Severity	Installed	Fixed
CVE-2026-25679	HIGH	1.26.0	1.26.1
CVE-2026-27137	HIGH	1.26.0	1.26.1
CVE-2026-27142	MEDIUM	1.26.0	1.26.1
CVE-2026-27138	LOW	1.26.0	1.26.1
CVE-2026-27139	LOW	1.26.0	1.26.1

A patch release rebuilding with Go 1.26.1 would resolve these.

[vinckr]

If you rely on Ory software as mission-critical and you need CVE fixes on a guaranteed timeline, please have a look at the Ory Enterprise License.

[marc-barry]

If you rely on Ory software as mission-critical and you need CVE fixes on a guaranteed timeline, please have a look at the Ory Enterprise License.

Thanks for the response @vinckr. I think we can solve this with something like https://github.com/marc-barry/hydra. It will allow me to produce a CVE-free version of Hydra with minimal updates to the code. It also allows me to create a patched version based on the release tags and not have to wait for a new release with updates.

I'm going to play around with this a little more as an option for minimizing CVEs within the image.

[ston1th]

@vinckr I get your point but to be honest security in terms of known CVEs which could be fixed by simple version bumps and a recompile should not be paywalled for anyone. CI/CD would do most of the work anyways.
Thats less about mission criticality for enterprises but more about to not leave all the OSS versions running on the public internet vulnerable for a longer period of time.

Could you please reconsider this?