Paketo Buildpacks
helper binary flagged for CVE-2025-68121 (go/stdlib crypto/tls) #402
Replies: 2 comments 2 replies
-
|
The helper binary would have been built with the latest go version available at the time. We can certainly plan for another release to update again. I should be able to do that Friday. This wouldn't be the first time that a go issue has been released right after we update 🥲 |
Beta Was this translation helpful? Give feedback.
-
|
Thank you so much for the quick response! Friday sounds great. |
Beta Was this translation helpful? Give feedback.
-
|
Releases cut today: |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the quick turnaround! I've confirmed that the vulnerability (CVE-2025-68121) is no longer flagged in our image scans after rebuilding with the updated buildpacks. Closing this discussion. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
The
helperbinary included in the built image (/layers/paketo-buildpacks_ca-certificates/helper/helper) is flagged for CVE-2025-68121 (go/stdlibcrypto/tls) by AWS ECR image scanning.Details
crypto/tls- TLS session resumption certificate validation bypass/layers/paketo-buildpacks_ca-certificates/helper/helperEnvironment
paketobuildpacks/builder-jammy-base:latestBootBuildImageExpected behavior
The
helperbinary should be compiled with Go 1.25.7+ (or 1.24.13+) to resolve CVE-2025-68121.Notes
Go 1.25.7 was released on 2026-02-04, and ca-certificates v3.11.1 was released on 2026-02-06. However, the v3.11.1 release only included "Bump Go Modules" and the helper binary appears to still be built with a Go version prior to 1.25.7, as the CVE is still reported in scans.
In https://github.com/orgs/paketo-buildpacks/discussions/308, a maintainer mentioned:
Could a new patch release be published with an updated Go toolchain?
Thank you for maintaining this project!
Beta Was this translation helpful? Give feedback.
All reactions