Skip to content

Security: Fix CVE-2025-47907 by updating Go to 1.24.6#868

Merged
yxxhero merged 2 commits intomasterfrom
copilot/fix-cve-2025-47907-vulnerability
Oct 11, 2025
Merged

Security: Fix CVE-2025-47907 by updating Go to 1.24.6#868
yxxhero merged 2 commits intomasterfrom
copilot/fix-cve-2025-47907-vulnerability

Conversation

Copy link
Contributor

Copilot AI commented Oct 11, 2025
edited
Loading

Overview

This PR addresses a HIGH severity security vulnerability (CVE-2025-47907) in the Go standard library by updating the Go version from 1.24.5 to 1.24.6.

Vulnerability Details

CVE ID: CVE-2025-47907
Severity: HIGH
Component: Go stdlib (database/sql package)
Issue: Postgres Scan Race Condition
Reference: https://avd.aquasec.com/nvd/cve-2025-47907

The vulnerability was detected in the compiled helm-diff plugin binary during a Trivy security scan.

Changes

This PR makes minimal, surgical changes to resolve the vulnerability:

  1. go.mod: Updated Go version from 1.24.5 to 1.24.6
  2. Dockerfile.release: Updated base image from golang:1.22 to golang:1.24 for consistency

Testing

✅ All existing unit tests pass
✅ Binary builds successfully
✅ Linting and static checks pass
✅ Plugin functionality verified (helm diff version)
✅ No dependency updates required

Impact

  • Security: Resolves CVE-2025-47907 in the Go standard library
  • Compatibility: No breaking changes - this is a patch version update
  • CI/CD: GitHub Actions workflows will automatically use the updated Go version via go-version-file: 'go.mod'
  • Releases: Future releases built with GoReleaser will use the patched Go version

Verification

After this PR is merged, the next release of helm-diff will be built with Go 1.24.6, which will eliminate the security vulnerability from the distributed binaries.

Closes #<issue_number>

Original prompt

This section details on the original issue you should resolve

<issue_title>Security: CVE-2025-47907 in Go stdlib v1.24.5 - Postgres Scan Race Condition</issue_title>
<issue_description>## Vulnerability Description

Trivy security scan detected a HIGH severity vulnerability in the helm-diff plugin binary.

CVE ID: CVE-2025-47907
Severity: HIGH
Component: stdlib (Go standard library)
Current Version: v1.24.5
Fixed Version: 1.23.12, 1.24.6

Vulnerability Details

Title: database/sql: Postgres Scan Race Condition
Reference: https://avd.aquasec.com/nvd/cve-2025-47907

Affected Binary

root/.local/share/helm/plugins/helm-diff/diff/bin/diff (gobinary)

Scan Output

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-47907 │ HIGH     │ fixed  │ v1.24.5           │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────┘

Remediation

Please update the Go version used to build the helm-diff plugin to at least:

  • Go 1.23.12 (if using 1.23.x series)
  • Go 1.24.6 (if using 1.24.x series)

This will resolve the vulnerability in the Go standard library's database/sql package.

Environment

  • Scanner: Trivy
  • Detection Date: 2025-10-10
  • Plugin Location: .local/share/helm/plugins/helm-diff/

Thank you for maintaining this plugin!</issue_description>

Comments on the Issue (you are @copilot in this section)

@yxxhero @jean-humann PR is welcome.

Fixes #867

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@yxxhero
Fix CVE-2025-47907: Update Go to 1.24.6
db5cf22 
Co-authored-by: yxxhero <11087727+yxxhero@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security vulnerability CVE-2025-47907 in Go stdlib Security: Fix CVE-2025-47907 by updating Go to 1.24.6 Oct 11, 2025
Copilot AI requested a review from yxxhero October 11, 2025 03:38
@yxxhero yxxhero marked this pull request as ready for review October 11, 2025 06:25
@yxxhero yxxhero merged commit c80c4a5 into master Oct 11, 2025
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yxxhero yxxhero Awaiting requested review from yxxhero

Assignees

@yxxhero yxxhero

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: CVE-2025-47907 in Go stdlib v1.24.5 - Postgres Scan Race Condition

2 participants

@yxxhero