chore(deps): update github/codeql-action action to v4.35.5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github/codeql-action	action	minor	v4.32.3 → v4.35.5

---

Release Notes

github/codeql-action (github/codeql-action)

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

v4.35.1

Compare Source

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #​3781

v4.35.0

Compare Source

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #​3767
• Update default CodeQL bundle version to 2.25.1. #​3773

v4.34.1

Compare Source

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #​3762

v4.34.0

Compare Source

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #​3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #​3584
• Update default CodeQL bundle version to 2.25.0. #​3585

v4.33.0

Compare Source

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #​3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #​3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #​3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #​3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #​3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #​3570

v4.32.6

Compare Source

• Update default CodeQL bundle version to 2.24.3. #​3548

v4.32.5

Compare Source

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #​3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #​3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #​3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #​3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #​3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #​3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #​3503, #​3504

v4.32.4

Compare Source

• Update default CodeQL bundle version to 2.24.2. #​3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #​3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #​3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #​3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #​3484

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Overview

Image reference	djaytan/papermc-server:1.21.11	djaytan/papermc-server:test
- digest	c78edd932156	0f5f372484a2
- tag	1.21.11	test
- stream	latest
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	82 MB	147 MB (+65 MB)
- packages	93	176 (+83)
Base Image	alpine:3 also known as: • 3.23 • latest	alpine:3 also known as: • 3.23 • latest
- vulnerabilities

Policies (1 improved, 1 worsened, 3 missing data)

Policy Name	djaytan/papermc-server:1.21.11	djaytan/papermc-server:test	Change	Standing
No unapproved base images	❓ No data	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 47	⚠️ 43	-4	Improved
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	❓ No data	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (106 package changes and 8 vulnerability changes)

• ➕ 93 packages added
• ➖ 12 packages removed
• ♾️ 1 packages changed
• 77 packages unchanged

• ❗ 8 vulnerabilities added

Changes for packages of type apk (8 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	alpine-base		3.23.3-r0
➕	ca-certificates		20251003-r0
➕	gcc		15.2.0-r2
➕	ncurses		6.5_p20251123-r0
➕	openssl		3.5.5-r0
			Added vulnerabilities (7):
➕	pax-utils		1.3.8-r2
➕	xz		5.8.2-r0
			Added vulnerabilities (1):
♾️	xz-libs	5.8.3-r0	5.8.2-r0

Changes for packages of type generic (2 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	openjdk		21.0.10
➖	openjdk	21.0.10

Changes for packages of type golang (20 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➖	cuelabs.dev/go/oci/ociregistry	0.0.0-20250304105642-27e071d2c9b1
➕	cuelabs.dev/go/oci/ociregistry		0.0.0-20250304105642-27e071d2c9b1
➖	github.com/cenkalti/backoff/v5	5.0.3
➕	github.com/cenkalti/backoff/v5		5.0.3
➖	github.com/cespare/xxhash/v2	2.3.0
➕	github.com/cespare/xxhash/v2		2.3.0
➕	github.com/cockroachdb/apd/v3		3.2.1
➖	github.com/cockroachdb/apd/v3	3.2.1
➕	github.com/grpc-ecosystem/grpc-gateway/v2		2.27.7
➖	github.com/grpc-ecosystem/grpc-gateway/v2	2.27.7
➕	github.com/pelletier/go-toml/v2		2.2.4
➖	github.com/pelletier/go-toml/v2	2.2.4
➕	go.opentelemetry.io/contrib/instrumentation/runtime		0.65.0
➖	go.opentelemetry.io/contrib/instrumentation/runtime	0.65.0
➖	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	1.40.0
➕	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc		1.40.0
➖	go.opentelemetry.io/otel/sdk/metric	1.40.0
➖	google.golang.org/genproto/googleapis/api	0.0.0-20260203192932-546029d2fa20
➕	google.golang.org/genproto/googleapis/rpc		0.0.0-20260203192932-546029d2fa20
➖	google.golang.org/genproto/googleapis/rpc	0.0.0-20260203192932-546029d2fa20

Changes for packages of type maven (76 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	AutoRenamingTool/AutoRenamingTool		2.0.3
➕	ansi/ansi		1.1.1
➕	asm-utils/asm-utils		0.0.3
➕	cli-utils/cli-utils		2.1.4
➕	com.google.errorprone/error_prone_annotations		2.41.0
➕	com.google.guava/listenablefuture		9999.0-empty-to-avoid-conflict-with-guava
➕	com.google.j2objc/j2objc-annotations		3.1
➕	com.google.protobuf/protobuf-java		4.29.0
➕	com.googlecode.json-simple/json-simple		1.1.1
➕	com.lmax.disruptor/disruptor		3.4.4
➕	com.mysql/mysql-connector-j		9.2.0
➕	commons-codec/commons-codec		1.16.0
➕	commons-lang/commons-lang		2.6
			Added vulnerabilities (1):
➕	concurrentutil/concurrentutil		0.0.8
➕	examination-api/examination-api		1.3.0
➕	examination-string/examination-string		1.3.0
➕	gson-io/gson-io		2.0.17
➕	io.leangen.geantyref/geantyref		1.3.16
➕	io.netty/netty-codec-haproxy		4.2.7.Final
➕	io.papermc.paperclip.Main/papermc-server		1.21.11-69
➕	io.sigpipe/jbsdiff		1.0
➕	net.kyori.adventure.key/adventure-key		4.25.0
➕	net.kyori.adventure.text.logger.slf4j/adventure-text-logger-slf4j		4.25.0
➕	net.kyori.adventure.text.minimessage/adventure-text-minimessage		4.25.0
➕	net.kyori.adventure.text.serializer.ansi/adventure-text-serializer-ansi		4.25.0
➕	net.kyori.adventure.text.serializer.constant/adventure-text-serializer-commons		4.25.0
➕	net.kyori.adventure.text.serializer.gson/adventure-text-serializer-gson		4.25.0
➕	net.kyori.adventure.text.serializer.json/adventure-text-serializer-json		4.25.0
➕	net.kyori.adventure.text.serializer.legacy/adventure-text-serializer-legacy		4.25.0
➕	net.kyori.adventure.text.serializer.plain/adventure-text-serializer-plain		4.25.0
➕	net.kyori.adventure/adventure-api		4.25.0
➕	net.md-5/bungeecord-chat		1.21-R0.2
➕	net.minecrell.terminalconsole/terminalconsoleappender		1.3.0
➕	option/option		1.1.0
➕	org.apache.commons/commons-compress		1.5
			Added vulnerabilities (5):
➕	org.apache.httpcomponents/httpclient		4.5.14
➕	org.apache.httpcomponents/httpcore		4.4.16
➕	org.apache.logging.log4j/log4j-iostreams		2.24.1
➕	org.apache.maven.resolver/maven-resolver-api		1.9.18
➕	org.apache.maven.resolver/maven-resolver-connector-basic		1.9.18
➕	org.apache.maven.resolver/maven-resolver-impl		1.9.18
➕	org.apache.maven.resolver/maven-resolver-named-locks		1.9.18
➕	org.apache.maven.resolver/maven-resolver-spi		1.9.18
➕	org.apache.maven.resolver/maven-resolver-transport-http		1.9.18
➕	org.apache.maven.resolver/maven-resolver-util		1.9.18
➕	org.apache.maven/maven-artifact		3.9.6
➕	org.apache.maven/maven-builder-support		3.9.6
➕	org.apache.maven/maven-model		3.9.6
➕	org.apache.maven/maven-model-builder		3.9.6
➕	org.apache.maven/maven-repository-metadata		3.9.6
➕	org.apache.maven/maven-resolver-provider		3.9.6
➕	org.bukkit/paper-api		1.21.11-R0.1-SNAPSHOT
➕	org.codehaus.plexus/plexus-interpolation		1.26
➕	org.codehaus.plexus/plexus-utils		3.5.1
			Added vulnerabilities (1):
➕	org.eclipse.sisu/org.eclipse.sisu.inject		0.9.0.M2
➕	org.jline/jline-native		3.27.1
➕	org.jline/jline-reader		3.20.0
➕	org.jline/jline-terminal		3.27.1
➕	org.jline/jline-terminal-ffm		3.27.1
➕	org.jline/jline-terminal-jni		3.27.1
➕	org.objectweb.asm.commons/asm-commons		9.8
➕	org.objectweb.asm.tree/asm-tree		9.8
➕	org.objectweb.asm/asm		9.8
➕	org.slf4j/jcl-over-slf4j		1.7.36
➕	org.spongepowered.configurate.yaml/configurate-yaml		4.2.0
➕	org.spongepowered.configurate/configurate-core		4.2.0
➕	org.xerial/sqlite-jdbc		3.49.1.0
➕	org.yaml/snakeyaml		2.2
➕	reflection-rewriter-proxy-generator/reflection-rewriter-proxy-generator		0.0.3
➕	reflection-rewriter-runtime/reflection-rewriter-runtime		0.0.3
➕	reflection-rewriter/reflection-rewriter		0.0.3
➕	spark-api/spark-api		0.1-20240720.200737-2
➕	spark-paper/spark-paper		1.10.152
➕	spec/spec		2.0.17
➕	srgutils/srgutils		1.0.9
➕	velocity-native/velocity-native		3.4.0-SNAPSHOT

[github-actions]

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test

digest	sha256:0f5f372484a22afed7ef08e101d9f9db9264054f6c83797a46360ad761a3c8a1
vulnerabilities
platform	linux/amd64
size	147 MB
packages	176

📦 Base Image alpine:3

also known as	3.23 3.23.3 latest
digest	sha256:59855d3dceb3ae53991193bd03301e082b2a7faa56a514b03527ae0ec2ce3a95
vulnerabilities

stdlib 1.24.4 (golang) pkg:golang/stdlib@1.24.4 Affected range <1.24.13 Fixed version 1.24.13 EPSS Score 0.018% EPSS Percentile 5th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.022% EPSS Percentile 6th percentile Description Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.020% EPSS Percentile 6th percentile Description The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.054% EPSS Percentile 17th percentile Description Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.018% EPSS Percentile 5th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.017% EPSS Percentile 4th percentile Description When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.044% EPSS Percentile 14th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.017% EPSS Percentile 4th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.034% EPSS Percentile 10th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.040% EPSS Percentile 12th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.039% EPSS Percentile 12th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.009% EPSS Percentile 1st percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.018% EPSS Percentile 5th percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.019% EPSS Percentile 5th percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.008% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.030% EPSS Percentile 9th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.013% EPSS Percentile 2nd percentile Description If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.010% EPSS Percentile 1st percentile Description CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.004% EPSS Percentile 0th percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.012% EPSS Percentile 2nd percentile Description ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.009% EPSS Percentile 1st percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.021% EPSS Percentile 6th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 4th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.037% EPSS Percentile 11th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.031% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.022% EPSS Percentile 6th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.017% EPSS Percentile 4th percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.007% EPSS Percentile 1st percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

openssl 3.5.5-r0 (apk) pkg:apk/alpine/openssl@3.5.5-r0?os_name=alpine&os_version=3.23 Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.006% EPSS Percentile 0th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.043% EPSS Percentile 13th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.035% EPSS Percentile 10th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.085% EPSS Percentile 25th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.085% EPSS Percentile 25th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.034% EPSS Percentile 10th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.022% EPSS Percentile 6th percentile Description

google.golang.org/grpc 1.78.0 (golang) pkg:golang/google.golang.org/grpc@1.78.0 Improper Authorization Affected range <1.79.3 Fixed version 1.79.3 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.020% EPSS Percentile 5th percentile Description Impact What kind of vulnerability is it? Who is impacted? It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. Who is impacted? This affects gRPC-Go servers that meet both of the following criteria: They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx). Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server. Patches Has the problem been patched? What versions should users upgrade to? Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): v1.79.3 The latest master branch. It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash. 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

stdlib 1.25.7 (golang) pkg:golang/stdlib@1.25.7 Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.022% EPSS Percentile 6th percentile Description Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.020% EPSS Percentile 6th percentile Description The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.054% EPSS Percentile 17th percentile Description Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.018% EPSS Percentile 5th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.017% EPSS Percentile 4th percentile Description When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.044% EPSS Percentile 14th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.013% EPSS Percentile 2nd percentile Description If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.010% EPSS Percentile 1st percentile Description CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.004% EPSS Percentile 0th percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.012% EPSS Percentile 2nd percentile Description ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.007% EPSS Percentile 1st percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

org.apache.commons/commons-compress 1.5 (maven) pkg:maven/org.apache.commons/commons-compress@1.5 Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.736% EPSS Percentile 73rd percentile Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.319% EPSS Percentile 80th percentile Description When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.740% EPSS Percentile 83rd percentile Description When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Excessive Iteration Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.191% EPSS Percentile 79th percentile Description When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.3 <1.26.0 Fixed version 1.26.0 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 5th percentile Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

golang.org/x/net 0.39.0 (golang) pkg:golang/golang.org/x/net@0.39.0 Affected range <0.53.0 Fixed version 0.53.0 EPSS Score 0.018% EPSS Percentile 5th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.011% EPSS Percentile 1st percentile Description The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.017% EPSS Percentile 4th percentile Description The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

musl 1.2.5-r21 (apk) pkg:apk/alpine/musl@1.2.5-r21?os_name=alpine&os_version=3.23 Affected range <1.2.5-r23 Fixed version 1.2.5-r23 EPSS Score 0.020% EPSS Percentile 6th percentile Description Affected range <1.2.5-r22 Fixed version 1.2.5-r22 EPSS Score 0.017% EPSS Percentile 4th percentile Description

go.opentelemetry.io/otel 1.40.0 (golang) pkg:golang/go.opentelemetry.io/otel@1.40.0 Uncontrolled Resource Consumption Affected range >=1.36.0 <=1.40.0 Fixed version 1.41.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.057% EPSS Percentile 18th percentile Description multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. severity HIGH (availability / remote request amplification) relevant links repository: https://github.com/open-telemetry/opentelemetry-go pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58 vulnerability details pins: open-telemetry/opentelemetry-go@1ee4a41 as-of: 2026-02-04 policy: direct (no program scope provided) callsite: propagation/baggage.go:58 (extractMultiBaggage) attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation root cause extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit). impact in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency. example from the attached PoC harness (darwin/arm64; 80 values; 40 requests): canonical: per_req_alloc_bytes=10315458 and p95_ms=7 control: per_req_alloc_bytes=133429 and p95_ms=0 proof of concept canonical: mkdir -p poc unzip poc.zip -d poc cd poc make test output (excerpt): [CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage [PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165 control: cd poc make control control output (excerpt): [NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480 expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget. actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes. fix recommendation avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total). fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms. poc.zip PR_DESCRIPTION.md

go.opentelemetry.io/otel/sdk 1.40.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.40.0 Untrusted Search Path Affected range >=1.15.0 <=1.42.0 Fixed version 1.43.0 CVSS Score 7.3 CVSS Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.009% EPSS Percentile 1st percentile Description Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/host_id.go line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator. Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems. Attack Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk Attacker places a malicious kenv binary earlier in $PATH Application initializes OpenTelemetry resource detection at startup hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, kenv is located at /bin/kenv.

golang.org/x/net 0.49.0 (golang) pkg:golang/golang.org/x/net@0.49.0 Affected range <0.53.0 Fixed version 0.53.0 EPSS Score 0.018% EPSS Percentile 5th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

org.codehaus.plexus/plexus-utils 3.5.1 (maven) pkg:maven/org.codehaus.plexus/plexus-utils@3.5.1 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <3.6.1 Fixed version 4.0.3 EPSS Score 0.273% EPSS Percentile 51st percentile Description Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

zlib 1.3.1-r2 (apk) pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.23 Affected range <1.3.2-r0 Fixed version 1.3.2-r0 EPSS Score 0.008% EPSS Percentile 1st percentile Description Affected range <1.3.2-r0 Fixed version 1.3.2-r0 EPSS Score 0.009% EPSS Percentile 1st percentile Description

busybox 1.37.0-r30 (apk) pkg:apk/alpine/busybox@1.37.0-r30?os_name=alpine&os_version=3.23 Affected range <=1.37.0-r30 Fixed version Not Fixed EPSS Score 0.051% EPSS Percentile 16th percentile Description

commons-lang/commons-lang 2.6 (maven) pkg:maven/commons-lang/commons-lang@2.6 Uncontrolled Recursion Affected range >=2.0 <=2.6 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.135% EPSS Percentile 33rd percentile Description Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

xz 5.8.2-r0 (apk) pkg:apk/alpine/xz@5.8.2-r0?os_name=alpine&os_version=3.23 Affected range <5.8.3-r0 Fixed version 5.8.3-r0 EPSS Score 0.060% EPSS Percentile 19th percentile Description

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud