chore(deps): update npm to v11.14.1 by renovate[bot] · Pull Request #399 · Djaytan/docker-papermc-server

renovate · 2026-04-01T00:35:40Z

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
npm (source)	packageManager	minor	`11.9.0` → `11.14.1`

Release Notes

npm/cli (npm)

Features

45fc5e0 #9288 add allow-directory, allow-file, and allow-remote (#9288) (@github-actions[bot], @wraithgar)

Bug Fixes

6c17544 #9318 sbom: dedupe per-node dependsOn / relationships (#9318) (@github-actions[bot], @mikaelkristiansson)

Dependencies

840fe18 #9322 socks@10.1.1
b771289 #9322 ip-address@10.1.1
addffcb #9322 cidr-regex@5.0.5

Chores

041fd58 #9322 dev dependency updates (@owlstronaut)
89c505a #9320 add cli-triage team as codeowner (#9320) (@github-actions[bot], @owlstronaut)
workspace: @npmcli/arborist@9.5.0
workspace: @npmcli/config@10.9.0
workspace: libnpmdiff@8.1.7
workspace: libnpmexec@10.2.7
workspace: libnpmfund@7.0.21
workspace: libnpmpack@9.1.7

`v11.13.0`

Compare Source

`v11.12.1`

Compare Source

Bug Fixes

596706a #9148 revert prefer-offline/prefer-online exclusivity (#9129) (@owlstronaut)

Documentation

d1ee8a5 #9140 Add note on relative path prefix for npm publish (#9140) (@pydsigner)

Dependencies

workspace: @npmcli/config@10.8.1

`v11.12.0`

Compare Source

Features

8eff5fb #9049 audit: add --include-attestations flag to output sigstore bundles (#9049) (@mitchdenny)

Bug Fixes

03af94d #9123 skip synopsis code block when command has no usage (@owlstronaut)
21ea382 #9110 arborist: resolve sibling override sets via common ancestor (#9110) (@manzoorwanijk)

Dependencies

03f4c3a #9131 @sigstore/tuf@4.0.2
4d5f7d9 #9131 @gar/promise-retry@1.0.3
8dcfe69 #9131 @sigstore/sign@4.1.1
e5a7e22 #9127 lru-cache@11.2.7
82deab6 #9127 make-fetch-happen@15.0.5
ce195dc #9127 cacache@20.0.4

Chores

95fa7f4 #9132 fix docs test snapshot (#9132) (@wraithgar)
7e9d538 #9127 dev dependency updates (@wraithgar)
920e5ed #9127 test snapshots (@wraithgar)
98ccf92 #9125 fix snap tests (@owlstronaut)
workspace: @npmcli/arborist@9.4.2
workspace: @npmcli/config@10.8.0
workspace: libnpmdiff@8.1.5
workspace: libnpmexec@10.2.5
workspace: libnpmfund@7.0.19
workspace: libnpmpack@9.1.5

`v11.11.1`

Compare Source

Bug Fixes

a9d242b #9099 include all subcommands on main command help (#9099) (@wraithgar)
29b8407 #9087 unwrap comments and lines meant for output (#9087) (@wraithgar)
b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@manzoorwanijk)
76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@wraithgar)
a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@manzoorwanijk)
6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@Jadu07)

Documentation

3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@mohd-akram)
16ac4e0 #9054 fix workspace cross-dependency documentation (@owlstronaut)

Dependencies

075ae23 #9086 tar@7.5.11
13fa40d #9086 pacote@21.5.0
bf7ea2b #9060 brace-expansion@5.0.4
2000d2c #9060 minimatch@10.2.4
d86b260 #9060 tar@7.5.10
dff1853 #9060 @npmcli/run-script@10.0.4
93c3365 #9060 write-file-atomic@7.0.1

Chores

d1996a7 #9060 dev dependency updates (@wraithgar)
workspace: @npmcli/arborist@9.4.1
workspace: libnpmdiff@8.1.4
workspace: libnpmexec@10.2.4
workspace: libnpmfund@7.0.18
workspace: libnpmpack@9.1.4

`v11.11.0`

Compare Source

Features

4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@wraithgar)
e1b21f0 #8909 adds circleci to trust command (#8909) (@owlstronaut)
9a33ad0 #8925 adds circleci to oidc (#8925) (@owlstronaut)

Bug Fixes

4426411 #9026 npm audit signatures for keyless attestation registries (#9026) (@ajayk)
658b323 #9010 handle legacy licenses array in sbom output (#9010) (@JNC4)

Documentation

143f8cd #9007 docs shouldn't wrap yaml description (#9007) (@owlstronaut)

Dependencies

7798b6e #9027 @gar/promise-retry@1.0.2
4838864 #9027 balanced-match@4.0.4
0c200dd #9027 brace-expansion@5.0.3
f0606bb #9027 spdx-license-ids@3.0.23
d43f350 #9027 make-fetch-happen@15.0.4
4d0918a #9027 @npmcli/git@7.0.2
8912ca7 #9027 minipass-fetch@5.0.2
450ff35 #9027 npm-packlist@10.0.4
20ef5a5 #9027 pacote@21.4.0
60f332c #9008 remove promise-retry
cb8b9c7 #9008 add @gar/promise-retry@1.0.0
workspace: @npmcli/arborist@9.4.0
workspace: libnpmdiff@8.1.3
workspace: libnpmexec@10.2.3
workspace: libnpmfund@7.0.17
workspace: libnpmpack@9.1.3

`v11.10.1`

Compare Source

Bug Fixes

9fac412 #8995 improve unknown config warning with .npmrc section hint (#8995) (@umeshmore45)
bb135cc #8981 arborist: fix peerOptional dependency resolution in buildIdealTree (#8981) (@Saibamen, @cursoragent)
5c03826 #8993 remove tabular output from "npm view" (@wraithgar)
4648f26 #8993 remove tabular output from "npm team" (@wraithgar)

Documentation

0a5756d #8998 clarify unsupported custom .npmrc keys and recommend alternatives (#8998) (@maitrawebtech)
22c9153 #8985 fix typo and grammar in README (#8985) (@csmit195, Chris)

Dependencies

aa8ffbf #9002 init-package-json@8.2.5 (#9002)
67a0f09 #9001 glob@13.0.6
56b8fd4 #9001 minimatch@10.2.2
aa7fef5 #9001 minipass@7.1.3
d3a4161 #9000 @npmcli/package-json@7.0.5 (#9000)
7aa9338 #8993 remove cli-columns
f7f7c53 #8991 hoist balanced-match
10cb575 #8991 hoist latest yallist
1b3dc9a #8991 cidr-regex@5.0.3
4307af6 #8991 glob@13.0.5
13b4d6a #8991 minimatch@10.2.1
45d4000 #8991 tar@7.5.9

Chores

40fcab4 #8991 @npmcli/template-oss@4.29.0 (@wraithgar)
1598adb #8991 dev dependency updates (@wraithgar)
workspace: @npmcli/arborist@9.3.1
workspace: @npmcli/config@10.7.1
workspace: libnpmdiff@8.1.2
workspace: libnpmexec@10.2.2
workspace: libnpmfund@7.0.16
workspace: libnpmpack@9.1.2

`v11.10.0`

Compare Source

Features

cf56a1e #8899 npm trust, per-command config (@reggi)
cf56a1e #8899 npm trust (@reggi)
66d6e11 #8965 add min-release-age (#8965) (@wraithgar)

Dependencies

aae84bf #8973 pacote@21.3.1
8bcb675 #8973 cidr-regex@5.0.2
f87aaab #8973 lru-cache@11.2.6
acec871 #8973 ssri@13.0.1
1e42a86 #8973 glob@13.0.2
e1c08a4 #8973 is-cidr@6.0.3
dfb0e34 #8973 semver@7.7.4
0ee7776 #8973 which@6.0.1

Chores

eb81df8 #8973 dev dependency updates (@wraithgar)
995e757 #8966 Clean up some todos, add tests for previously skipped blocks (@owlstronaut)
workspace: @npmcli/arborist@9.3.0
workspace: @npmcli/config@10.7.0
workspace: libnpmdiff@8.1.1
workspace: libnpmexec@10.2.1
workspace: libnpmfund@7.0.15
workspace: libnpmpack@9.1.1

Configuration

📅 Schedule: (UTC)

Branch creation
- Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-04-01T00:37:39Z

Overview

Image reference	`djaytan/papermc-server:1.21.11`	`djaytan/papermc-server:test`
- digest	`c78edd932156`	`0f5f372484a2`
- tag	`1.21.11`	`test`
- stream	latest
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	82 MB	147 MB (+65 MB)
- packages	93	176 (+83)
Base Image	`alpine:3` also known as: • `3.23` • `latest`	`alpine:3` also known as: • `3.23` • `latest`
- vulnerabilities

Policies (1 improved, 1 worsened, 3 missing data)

Policy Name	`djaytan/papermc-server:1.21.11`	`djaytan/papermc-server:test`	Change	Standing
No unapproved base images	❓ No data	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 47	⚠️ 43	-4	Improved
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	❓ No data	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (106 package changes and 8 vulnerability changes)

➕ 93 packages added

➖ 12 packages removed

♾️ 1 packages changed

77 packages unchanged

❗ 8 vulnerabilities added

Changes for packages of type apk (8 changes)

	Package	Version `djaytan/papermc-server:1.21.11`	Version `djaytan/papermc-server:test`
➕	alpine-base		`3.23.3-r0`
➕	ca-certificates		`20251003-r0`
➕	gcc		`15.2.0-r2`
➕	ncurses		`6.5_p20251123-r0`
➕	openssl		`3.5.5-r0`

			Added vulnerabilities (7):
➕	pax-utils		`1.3.8-r2`
➕	xz		`5.8.2-r0`

			Added vulnerabilities (1):
♾️	xz-libs	`5.8.3-r0`	`5.8.2-r0`

Changes for packages of type generic (2 changes)

	Package	Version `djaytan/papermc-server:1.21.11`	Version `djaytan/papermc-server:test`
➕	openjdk		`21.0.10`
➖	openjdk	`21.0.10`

Changes for packages of type golang (20 changes)

	Package	Version `djaytan/papermc-server:1.21.11`	Version `djaytan/papermc-server:test`
➖	cuelabs.dev/go/oci/ociregistry	`0.0.0-20250304105642-27e071d2c9b1`
➕	cuelabs.dev/go/oci/ociregistry		`0.0.0-20250304105642-27e071d2c9b1`
➕	github.com/cenkalti/backoff/v5		`5.0.3`
➖	github.com/cenkalti/backoff/v5	`5.0.3`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➕	github.com/cockroachdb/apd/v3		`3.2.1`
➖	github.com/cockroachdb/apd/v3	`3.2.1`
➕	github.com/grpc-ecosystem/grpc-gateway/v2		`2.27.7`
➖	github.com/grpc-ecosystem/grpc-gateway/v2	`2.27.7`
➕	github.com/pelletier/go-toml/v2		`2.2.4`
➖	github.com/pelletier/go-toml/v2	`2.2.4`
➖	go.opentelemetry.io/contrib/instrumentation/runtime	`0.65.0`
➕	go.opentelemetry.io/contrib/instrumentation/runtime		`0.65.0`
➖	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	`1.40.0`
➕	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc		`1.40.0`
➖	go.opentelemetry.io/otel/sdk/metric	`1.40.0`
➖	google.golang.org/genproto/googleapis/api	`0.0.0-20260203192932-546029d2fa20`
➕	google.golang.org/genproto/googleapis/rpc		`0.0.0-20260203192932-546029d2fa20`
➖	google.golang.org/genproto/googleapis/rpc	`0.0.0-20260203192932-546029d2fa20`

Changes for packages of type maven (76 changes)

	Package	Version `djaytan/papermc-server:test`
➕	AutoRenamingTool/AutoRenamingTool	`2.0.3`
➕	ansi/ansi	`1.1.1`
➕	asm-utils/asm-utils	`0.0.3`
➕	cli-utils/cli-utils	`2.1.4`
➕	com.google.errorprone/error_prone_annotations	`2.41.0`
➕	com.google.guava/listenablefuture	`9999.0-empty-to-avoid-conflict-with-guava`
➕	com.google.j2objc/j2objc-annotations	`3.1`
➕	com.google.protobuf/protobuf-java	`4.29.0`
➕	com.googlecode.json-simple/json-simple	`1.1.1`
➕	com.lmax.disruptor/disruptor	`3.4.4`
➕	com.mysql/mysql-connector-j	`9.2.0`
➕	commons-codec/commons-codec	`1.16.0`
➕	commons-lang/commons-lang	`2.6`

		Added vulnerabilities (1):
➕	concurrentutil/concurrentutil	`0.0.8`
➕	examination-api/examination-api	`1.3.0`
➕	examination-string/examination-string	`1.3.0`
➕	gson-io/gson-io	`2.0.17`
➕	io.leangen.geantyref/geantyref	`1.3.16`
➕	io.netty/netty-codec-haproxy	`4.2.7.Final`
➕	io.papermc.paperclip.Main/papermc-server	`1.21.11-69`
➕	io.sigpipe/jbsdiff	`1.0`
➕	net.kyori.adventure.key/adventure-key	`4.25.0`
➕	net.kyori.adventure.text.logger.slf4j/adventure-text-logger-slf4j	`4.25.0`
➕	net.kyori.adventure.text.minimessage/adventure-text-minimessage	`4.25.0`
➕	net.kyori.adventure.text.serializer.ansi/adventure-text-serializer-ansi	`4.25.0`
➕	net.kyori.adventure.text.serializer.constant/adventure-text-serializer-commons	`4.25.0`
➕	net.kyori.adventure.text.serializer.gson/adventure-text-serializer-gson	`4.25.0`
➕	net.kyori.adventure.text.serializer.json/adventure-text-serializer-json	`4.25.0`
➕	net.kyori.adventure.text.serializer.legacy/adventure-text-serializer-legacy	`4.25.0`
➕	net.kyori.adventure.text.serializer.plain/adventure-text-serializer-plain	`4.25.0`
➕	net.kyori.adventure/adventure-api	`4.25.0`
➕	net.md-5/bungeecord-chat	`1.21-R0.2`
➕	net.minecrell.terminalconsole/terminalconsoleappender	`1.3.0`
➕	option/option	`1.1.0`
➕	org.apache.commons/commons-compress	`1.5`

		Added vulnerabilities (5):
➕	org.apache.httpcomponents/httpclient	`4.5.14`
➕	org.apache.httpcomponents/httpcore	`4.4.16`
➕	org.apache.logging.log4j/log4j-iostreams	`2.24.1`
➕	org.apache.maven.resolver/maven-resolver-api	`1.9.18`
➕	org.apache.maven.resolver/maven-resolver-connector-basic	`1.9.18`
➕	org.apache.maven.resolver/maven-resolver-impl	`1.9.18`
➕	org.apache.maven.resolver/maven-resolver-named-locks	`1.9.18`
➕	org.apache.maven.resolver/maven-resolver-spi	`1.9.18`
➕	org.apache.maven.resolver/maven-resolver-transport-http	`1.9.18`
➕	org.apache.maven.resolver/maven-resolver-util	`1.9.18`
➕	org.apache.maven/maven-artifact	`3.9.6`
➕	org.apache.maven/maven-builder-support	`3.9.6`
➕	org.apache.maven/maven-model	`3.9.6`
➕	org.apache.maven/maven-model-builder	`3.9.6`
➕	org.apache.maven/maven-repository-metadata	`3.9.6`
➕	org.apache.maven/maven-resolver-provider	`3.9.6`
➕	org.bukkit/paper-api	`1.21.11-R0.1-SNAPSHOT`
➕	org.codehaus.plexus/plexus-interpolation	`1.26`
➕	org.codehaus.plexus/plexus-utils	`3.5.1`

		Added vulnerabilities (1):
➕	org.eclipse.sisu/org.eclipse.sisu.inject	`0.9.0.M2`
➕	org.jline/jline-native	`3.27.1`
➕	org.jline/jline-reader	`3.20.0`
➕	org.jline/jline-terminal	`3.27.1`
➕	org.jline/jline-terminal-ffm	`3.27.1`
➕	org.jline/jline-terminal-jni	`3.27.1`
➕	org.objectweb.asm.commons/asm-commons	`9.8`
➕	org.objectweb.asm.tree/asm-tree	`9.8`
➕	org.objectweb.asm/asm	`9.8`
➕	org.slf4j/jcl-over-slf4j	`1.7.36`
➕	org.spongepowered.configurate.yaml/configurate-yaml	`4.2.0`
➕	org.spongepowered.configurate/configurate-core	`4.2.0`
➕	org.xerial/sqlite-jdbc	`3.49.1.0`
➕	org.yaml/snakeyaml	`2.2`
➕	reflection-rewriter-proxy-generator/reflection-rewriter-proxy-generator	`0.0.3`
➕	reflection-rewriter-runtime/reflection-rewriter-runtime	`0.0.3`
➕	reflection-rewriter/reflection-rewriter	`0.0.3`
➕	spark-api/spark-api	`0.1-20240720.200737-2`
➕	spark-paper/spark-paper	`1.10.152`
➕	spec/spec	`2.0.17`
➕	srgutils/srgutils	`1.0.9`
➕	velocity-native/velocity-native	`3.4.0-SNAPSHOT`

github-actions · 2026-04-01T00:37:41Z

🔍 Vulnerabilities of `djaytan/papermc-server:test`

📦 Image Reference djaytan/papermc-server:test

digest	`sha256:0f5f372484a22afed7ef08e101d9f9db9264054f6c83797a46360ad761a3c8a1`
vulnerabilities
platform	linux/amd64
size	147 MB
packages	176

📦 Base Image alpine:3

also known as	`3.23` `3.23.3` `latest`
digest	`sha256:59855d3dceb3ae53991193bd03301e082b2a7faa56a514b03527ae0ec2ce3a95`
vulnerabilities

stdlib 1.24.4 (golang)

pkg:golang/stdlib@1.24.4

Affected range	`<1.24.13`
Fixed version	`1.24.13`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`<1.24.12`
Fixed version	`1.24.12`
EPSS Score	`0.034%`
EPSS Percentile	`10th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.040%`
EPSS Percentile	`12th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.039%`
EPSS Percentile	`12th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.9`
Fixed version	`1.24.9`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.12`
Fixed version	`1.24.12`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.006%`
EPSS Percentile	`0th percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`>=1.24.0 <1.24.6`
Fixed version	`1.24.6`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Affected range	`<1.24.12`
Fixed version	`1.24.12`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.016%`
EPSS Percentile	`4th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.037%`
EPSS Percentile	`11th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

openssl 3.5.5-r0 (apk)

pkg:apk/alpine/openssl@3.5.5-r0?os_name=alpine&os_version=3.23

Affected range	`<3.5.6-r0`
Fixed version	`3.5.6-r0`
EPSS Score	`0.029%`
EPSS Percentile	`8th percentile`

Description

Affected range	`<3.5.6-r0`
Fixed version	`3.5.6-r0`
EPSS Score	`0.046%`
EPSS Percentile	`14th percentile`

Description

Affected range	`<3.5.6-r0`
Fixed version	`3.5.6-r0`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

Affected range	`<3.5.6-r0`
Fixed version	`3.5.6-r0`
EPSS Score	`0.044%`
EPSS Percentile	`13th percentile`

Description

Affected range	`<3.5.6-r0`
Fixed version	`3.5.6-r0`
EPSS Score	`0.044%`
EPSS Percentile	`13th percentile`

Description

Affected range	`<3.5.6-r0`
Fixed version	`3.5.6-r0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

Affected range	`<3.5.6-r0`
Fixed version	`3.5.6-r0`
EPSS Score	`0.017%`
EPSS Percentile	`5th percentile`

Description

google.golang.org/grpc 1.78.0 (golang)

pkg:golang/google.golang.org/grpc@1.78.0

Improper Authorization

Affected range	`<1.79.3`
Fixed version	`1.79.3`
CVSS Score	`9.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
EPSS Score	`0.020%`
EPSS Percentile	`5th percentile`

Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).

Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

v1.79.3

The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:
func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

org.apache.commons/commons-compress 1.5 (maven)

pkg:maven/org.apache.commons/commons-compress@1.5

Improper Handling of Length Parameter Inconsistency

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.736%`
EPSS Percentile	`73rd percentile`

Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Improper Handling of Length Parameter Inconsistency

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`1.319%`
EPSS Percentile	`80th percentile`

Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Improper Handling of Length Parameter Inconsistency

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`1.740%`
EPSS Percentile	`83rd percentile`

Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Excessive Iteration

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`1.191%`
EPSS Percentile	`79th percentile`

Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range	`>=1.3 <1.26.0`
Fixed version	`1.26.0`
CVSS Score	`5.9`
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

golang.org/x/net 0.39.0 (golang)

pkg:golang/golang.org/x/net@0.39.0

Affected range	`<0.53.0`
Fixed version	`0.53.0`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected range	`<0.45.0`
Fixed version	`0.45.0`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Affected range	`<0.45.0`
Fixed version	`0.45.0`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

musl 1.2.5-r21 (apk)

pkg:apk/alpine/musl@1.2.5-r21?os_name=alpine&os_version=3.23

Affected range	`<1.2.5-r23`
Fixed version	`1.2.5-r23`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

Affected range	`<1.2.5-r22`
Fixed version	`1.2.5-r22`
EPSS Score	`0.014%`
EPSS Percentile	`3rd percentile`

Description

go.opentelemetry.io/otel/sdk 1.40.0 (golang)

pkg:golang/go.opentelemetry.io/otel/sdk@1.40.0

Untrusted Search Path

Affected range	`>=1.15.0 <=1.42.0`
Fixed version	`1.43.0`
CVSS Score	`7.3`
CVSS Vector	`CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:
if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {
Compare with the fixed Darwin path at line 58:
result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")
The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk

Attacker places a malicious kenv binary earlier in $PATH

Application initializes OpenTelemetry resource detection at startup

hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary

Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:
if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {
On FreeBSD, kenv is located at /bin/kenv.

golang.org/x/net 0.49.0 (golang)

pkg:golang/golang.org/x/net@0.49.0

Affected range	`<0.53.0`
Fixed version	`0.53.0`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

org.codehaus.plexus/plexus-utils 3.5.1 (maven)

pkg:maven/org.codehaus.plexus/plexus-utils@3.5.1

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range	`<3.6.1`
Fixed version	`4.0.3`
EPSS Score	`0.273%`
EPSS Percentile	`51st percentile`

Description

Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

go.opentelemetry.io/otel 1.40.0 (golang)

pkg:golang/go.opentelemetry.io/otel@1.40.0

Uncontrolled Resource Consumption

Affected range	`>=1.36.0 <=1.40.0`
Fixed version	`1.41.0`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.057%`
EPSS Percentile	`18th percentile`

Description

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

repository: https://github.com/open-telemetry/opentelemetry-go

pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

canonical: per_req_alloc_bytes=10315458 and p95_ms=7

control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:
mkdir -p poc
unzip poc.zip -d poc
cd poc
make test
output (excerpt):
[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165
control:
cd poc
make control
control output (excerpt):
[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480
expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

zlib 1.3.1-r2 (apk)

pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.23

Affected range	`<1.3.2-r0`
Fixed version	`1.3.2-r0`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

Affected range	`<1.3.2-r0`
Fixed version	`1.3.2-r0`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

busybox 1.37.0-r30 (apk)

pkg:apk/alpine/busybox@1.37.0-r30?os_name=alpine&os_version=3.23

Affected range	`<=1.37.0-r30`
Fixed version	Not Fixed
EPSS Score	`0.051%`
EPSS Percentile	`16th percentile`

Description

commons-lang/commons-lang 2.6 (maven)

pkg:maven/commons-lang/commons-lang@2.6

Uncontrolled Recursion

Affected range	`>=2.0 <=2.6`
Fixed version	Not Fixed
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
EPSS Score	`0.135%`
EPSS Percentile	`33rd percentile`

Description

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

xz 5.8.2-r0 (apk)

pkg:apk/alpine/xz@5.8.2-r0?os_name=alpine&os_version=3.23

Affected range	`<5.8.3-r0`
Fixed version	`5.8.3-r0`
EPSS Score	`0.060%`
EPSS Percentile	`19th percentile`

Description

sonarqubecloud · 2026-04-25T21:30:30Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2026-05-11T21:48:16Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

renovate Bot added the t:dependencies label Apr 1, 2026

renovate Bot requested a review from Djaytan as a code owner April 1, 2026 00:35

renovate Bot added the t:dependencies label Apr 1, 2026

renovate Bot force-pushed the renovate/npm-11.x branch from 46e8d34 to f2b69c8 Compare April 25, 2026 21:30

renovate Bot changed the title ~~chore(deps): update npm to v11.12.1~~ chore(deps): update npm to v11.13.0 Apr 25, 2026

renovate Bot force-pushed the renovate/npm-11.x branch from f2b69c8 to 096dd3e Compare May 9, 2026 20:49

renovate Bot changed the title ~~chore(deps): update npm to v11.13.0~~ chore(deps): update npm to v11.14.0 May 9, 2026

chore(deps): update npm to v11.14.1

905cca8

renovate Bot force-pushed the renovate/npm-11.x branch from 096dd3e to 905cca8 Compare May 11, 2026 21:47

renovate Bot changed the title ~~chore(deps): update npm to v11.14.0~~ chore(deps): update npm to v11.14.1 May 11, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update npm to v11.14.1#399

chore(deps): update npm to v11.14.1#399
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-11.x

renovate Bot commented Apr 1, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 1, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 1, 2026 •

edited

Loading

Impact

Patches

Workarounds

1. Use a Validating Interceptor (Recommended Mitigation)

2. Infrastructure-Level Normalization

3. Policy Hardening

Summary

Root Cause

Attack

Suggested Fix

severity

relevant links

vulnerability details

root cause

impact

proof of concept

fix recommendation

Uh oh!

sonarqubecloud Bot commented Apr 25, 2026

Uh oh!

sonarqubecloud Bot commented May 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Bug Fixes

Features

Bug Fixes

Dependencies

Chores

Bug Fixes

Documentation

Dependencies

Features

Bug Fixes

Dependencies

Chores

Bug Fixes

Documentation

Dependencies

Chores

Features

Bug Fixes

Documentation

Dependencies

Bug Fixes

Documentation

Dependencies

Chores

Features

Dependencies

Chores

Configuration

Uh oh!

github-actions Bot commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Overview

Uh oh!

github-actions Bot commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Vulnerabilities of djaytan/papermc-server:test

Impact

Patches

Workarounds

1. Use a Validating Interceptor (Recommended Mitigation)

2. Infrastructure-Level Normalization

3. Policy Hardening

Summary

Root Cause

Attack

Suggested Fix

severity

relevant links

vulnerability details

root cause

impact

proof of concept

fix recommendation

Uh oh!

sonarqubecloud Bot commented Apr 25, 2026

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented May 11, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Apr 1, 2026 •

edited

Loading

github-actions Bot commented Apr 1, 2026 •

edited

Loading

github-actions Bot commented Apr 1, 2026 •

edited

Loading

🔍 Vulnerabilities of `djaytan/papermc-server:test`