starred/smtprelay
1
0
Fork 0
mirror of https://github.com/decke/smtprelay.git synced 2026-04-25 12:55:54 +03:00
Code Issues 7 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #272] Multiple vulnerabilities in stdlib #47

New issue
Closed
opened 2026-02-26 18:33:03 +03:00 by kerem · 3 comments
kerem commented 2026-02-26 18:33:03 +03:00
Owner
Copy link

Originally created by @eric-as on GitHub (Nov 11, 2025).
Original GitHub issue: https://github.com/decke/smtprelay/issues/272

Hello Bernhard,

Thank for for providing and maintaining this software.

We built an docker image to distribute smtprelay on our platform. While scanning this image with Trivy, I found these vulnerabilities:

trivy image --scanners vuln --ignore-unfixed --severity HIGH,CRITICAL --table-mode detailed --quiet --exit-code 2 [repo/image:tag]
usr/local/bin/smtprelay (gobinary)
Total: 8 (HIGH: 8, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-22874 │ HIGH     │ fixed  │ v1.24.3           │ 1.24.4          │ crypto/x509: Usage of ExtKeyUsageAny disables policy         │
│         │                │          │        │                   │                 │ validation in crypto/x509                                    │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22874                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-47907 │          │        │                   │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-47912 │          │        │                   │ 1.24.8, 1.25.2  │ The Parse function permits values other than IPv6 addresses  │
│         │                │          │        │                   │                 │ to be incl...                                                │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47912                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58183 │          │        │                   │                 │ golang: archive/tar: Unbounded allocation when parsing GNU   │
│         │                │          │        │                   │                 │ sparse map                                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-58183                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58186 │          │        │                   │                 │ Despite HTTP headers having a default limit of 1MB, the      │
│         │                │          │        │                   │                 │ number of...                                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-58186                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58187 │          │        │                   │ 1.24.9, 1.25.3  │ Due to the design of the name constraint checking algorithm, │
│         │                │          │        │                   │                 │ the proce...                                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-58187                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58188 │          │        │                   │ 1.24.8, 1.25.2  │ Validating certificate chains which contain DSA public keys  │
│         │                │          │        │                   │                 │ can cause ......                                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-58188                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61724 │          │        │                   │                 │ The Reader.ReadResponse function constructs a response       │
│         │                │          │        │                   │                 │ string through ...                                           │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-61724                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Do you have any plans for a future release to mitigate this vulnerabilities, or would it be possible to provide a security hotfix?

Thank you in advance.

Originally created by @eric-as on GitHub (Nov 11, 2025). Original GitHub issue: https://github.com/decke/smtprelay/issues/272 Hello Bernhard, Thank for for providing and maintaining this software. We built an docker image to distribute `smtprelay` on our platform. While scanning this image with Trivy, I found these vulnerabilities: ``` trivy image --scanners vuln --ignore-unfixed --severity HIGH,CRITICAL --table-mode detailed --quiet --exit-code 2 [repo/image:tag] usr/local/bin/smtprelay (gobinary) Total: 8 (HIGH: 8, CRITICAL: 0) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2025-22874 │ HIGH │ fixed │ v1.24.3 │ 1.24.4 │ crypto/x509: Usage of ExtKeyUsageAny disables policy │ │ │ │ │ │ │ │ validation in crypto/x509 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22874 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-47907 │ │ │ │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47907 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-47912 │ │ │ │ 1.24.8, 1.25.2 │ The Parse function permits values other than IPv6 addresses │ │ │ │ │ │ │ │ to be incl... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47912 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-58183 │ │ │ │ │ golang: archive/tar: Unbounded allocation when parsing GNU │ │ │ │ │ │ │ │ sparse map │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58183 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-58186 │ │ │ │ │ Despite HTTP headers having a default limit of 1MB, the │ │ │ │ │ │ │ │ number of... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58186 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-58187 │ │ │ │ 1.24.9, 1.25.3 │ Due to the design of the name constraint checking algorithm, │ │ │ │ │ │ │ │ the proce... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58187 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-58188 │ │ │ │ 1.24.8, 1.25.2 │ Validating certificate chains which contain DSA public keys │ │ │ │ │ │ │ │ can cause ...... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58188 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-61724 │ │ │ │ │ The Reader.ReadResponse function constructs a response │ │ │ │ │ │ │ │ string through ... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-61724 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘ ``` Do you have any plans for a future release to mitigate this vulnerabilities, or would it be possible to provide a security hotfix? Thank you in advance.
kerem closed this issue 2026-02-26 18:33:03 +03:00
kerem commented 2026-02-26 18:33:04 +03:00
Author
Owner
Copy link

@decke commented on GitHub (Nov 15, 2025):

I just checked those CVEs briefly and most of them are not relevant. Three are at least theoretical issues because the description is very vague (CVE-2025-47912, CVE-2025-58187, CVE-2025-61724).

Well a new release is coming up soon.

<!-- gh-comment-id:3536506760 --> @decke commented on GitHub (Nov 15, 2025): I just checked those CVEs briefly and most of them are not relevant. Three are at least theoretical issues because the description is very vague (CVE-2025-47912, CVE-2025-58187, CVE-2025-61724). Well a new release is coming up soon.
kerem commented 2026-02-26 18:33:04 +03:00
Author
Owner
Copy link

@decke commented on GitHub (Nov 16, 2025):

Should be fine in release 1.13.0

<!-- gh-comment-id:3538668349 --> @decke commented on GitHub (Nov 16, 2025): Should be fine in release 1.13.0
kerem commented 2026-02-26 18:33:04 +03:00
Author
Owner
Copy link

@eric-as commented on GitHub (Nov 17, 2025):

Hello Bernhard, thanks a lot for your investigation and the new release.

<!-- gh-comment-id:3540400601 --> @eric-as commented on GitHub (Nov 17, 2025): Hello Bernhard, thanks a lot for your investigation and the new release.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/go_modules/github.com/rs/zerolog-1.35.1
dependabot/go_modules/github.com/DeRuina/timberjack-1.4.2
dependabot/go_modules/github.com/chrj/smtpd-1.0.0
dependabot/github_actions/step-security/harden-runner-2.19.0
dependabot/github_actions/github/codeql-action-4.35.2
add-service
v1.13.2
v1.13.1
v1.13.0
v1.12.0
v1.11.2
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.1
v1.0.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/smtprelay#47
No description provided.