chore(deps): update step-security/harden-runner action to v2.19.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
step-security/harden-runner	action	minor	v2.14.2 → v2.19.3

---

Release Notes

step-security/harden-runner (step-security/harden-runner)

v2.19.3

Compare Source

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in #​665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

Compare Source

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in #​657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in #​657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

Compare Source

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

Compare Source

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

Compare Source

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

Compare Source

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

Compare Source

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

Compare Source

What's Changed

• Fixes #​642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

Compare Source

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Overview

Image reference	djaytan/papermc-server:1.21.11	djaytan/papermc-server:test
- digest	c78edd932156	0f5f372484a2
- tag	1.21.11	test
- stream	latest
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	82 MB	147 MB (+65 MB)
- packages	93	176 (+83)
Base Image	alpine:3 also known as: • 3.23 • latest	alpine:3 also known as: • 3.23 • latest
- vulnerabilities

Policies (1 improved, 1 worsened, 3 missing data)

Policy Name	djaytan/papermc-server:1.21.11	djaytan/papermc-server:test	Change	Standing
No unapproved base images	❓ No data	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 47	⚠️ 43	-4	Improved
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	❓ No data	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (106 package changes and 8 vulnerability changes)

• ➕ 93 packages added
• ➖ 12 packages removed
• ♾️ 1 packages changed
• 77 packages unchanged

• ❗ 8 vulnerabilities added

Changes for packages of type apk (8 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	alpine-base		3.23.3-r0
➕	ca-certificates		20251003-r0
➕	gcc		15.2.0-r2
➕	ncurses		6.5_p20251123-r0
➕	openssl		3.5.5-r0
			Added vulnerabilities (7):
➕	pax-utils		1.3.8-r2
➕	xz		5.8.2-r0
			Added vulnerabilities (1):
♾️	xz-libs	5.8.3-r0	5.8.2-r0

Changes for packages of type generic (2 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➖	openjdk	21.0.10
➕	openjdk		21.0.10

Changes for packages of type golang (20 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	cuelabs.dev/go/oci/ociregistry		0.0.0-20250304105642-27e071d2c9b1
➖	cuelabs.dev/go/oci/ociregistry	0.0.0-20250304105642-27e071d2c9b1
➖	github.com/cenkalti/backoff/v5	5.0.3
➕	github.com/cenkalti/backoff/v5		5.0.3
➖	github.com/cespare/xxhash/v2	2.3.0
➕	github.com/cespare/xxhash/v2		2.3.0
➕	github.com/cockroachdb/apd/v3		3.2.1
➖	github.com/cockroachdb/apd/v3	3.2.1
➖	github.com/grpc-ecosystem/grpc-gateway/v2	2.27.7
➕	github.com/grpc-ecosystem/grpc-gateway/v2		2.27.7
➕	github.com/pelletier/go-toml/v2		2.2.4
➖	github.com/pelletier/go-toml/v2	2.2.4
➖	go.opentelemetry.io/contrib/instrumentation/runtime	0.65.0
➕	go.opentelemetry.io/contrib/instrumentation/runtime		0.65.0
➖	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	1.40.0
➕	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc		1.40.0
➖	go.opentelemetry.io/otel/sdk/metric	1.40.0
➖	google.golang.org/genproto/googleapis/api	0.0.0-20260203192932-546029d2fa20
➖	google.golang.org/genproto/googleapis/rpc	0.0.0-20260203192932-546029d2fa20
➕	google.golang.org/genproto/googleapis/rpc		0.0.0-20260203192932-546029d2fa20

Changes for packages of type maven (76 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	AutoRenamingTool/AutoRenamingTool		2.0.3
➕	ansi/ansi		1.1.1
➕	asm-utils/asm-utils		0.0.3
➕	cli-utils/cli-utils		2.1.4
➕	com.google.errorprone/error_prone_annotations		2.41.0
➕	com.google.guava/listenablefuture		9999.0-empty-to-avoid-conflict-with-guava
➕	com.google.j2objc/j2objc-annotations		3.1
➕	com.google.protobuf/protobuf-java		4.29.0
➕	com.googlecode.json-simple/json-simple		1.1.1
➕	com.lmax.disruptor/disruptor		3.4.4
➕	com.mysql/mysql-connector-j		9.2.0
➕	commons-codec/commons-codec		1.16.0
➕	commons-lang/commons-lang		2.6
			Added vulnerabilities (1):
➕	concurrentutil/concurrentutil		0.0.8
➕	examination-api/examination-api		1.3.0
➕	examination-string/examination-string		1.3.0
➕	gson-io/gson-io		2.0.17
➕	io.leangen.geantyref/geantyref		1.3.16
➕	io.netty/netty-codec-haproxy		4.2.7.Final
➕	io.papermc.paperclip.Main/papermc-server		1.21.11-69
➕	io.sigpipe/jbsdiff		1.0
➕	net.kyori.adventure.key/adventure-key		4.25.0
➕	net.kyori.adventure.text.logger.slf4j/adventure-text-logger-slf4j		4.25.0
➕	net.kyori.adventure.text.minimessage/adventure-text-minimessage		4.25.0
➕	net.kyori.adventure.text.serializer.ansi/adventure-text-serializer-ansi		4.25.0
➕	net.kyori.adventure.text.serializer.constant/adventure-text-serializer-commons		4.25.0
➕	net.kyori.adventure.text.serializer.gson/adventure-text-serializer-gson		4.25.0
➕	net.kyori.adventure.text.serializer.json/adventure-text-serializer-json		4.25.0
➕	net.kyori.adventure.text.serializer.legacy/adventure-text-serializer-legacy		4.25.0
➕	net.kyori.adventure.text.serializer.plain/adventure-text-serializer-plain		4.25.0
➕	net.kyori.adventure/adventure-api		4.25.0
➕	net.md-5/bungeecord-chat		1.21-R0.2
➕	net.minecrell.terminalconsole/terminalconsoleappender		1.3.0
➕	option/option		1.1.0
➕	org.apache.commons/commons-compress		1.5
			Added vulnerabilities (5):
➕	org.apache.httpcomponents/httpclient		4.5.14
➕	org.apache.httpcomponents/httpcore		4.4.16
➕	org.apache.logging.log4j/log4j-iostreams		2.24.1
➕	org.apache.maven.resolver/maven-resolver-api		1.9.18
➕	org.apache.maven.resolver/maven-resolver-connector-basic		1.9.18
➕	org.apache.maven.resolver/maven-resolver-impl		1.9.18
➕	org.apache.maven.resolver/maven-resolver-named-locks		1.9.18
➕	org.apache.maven.resolver/maven-resolver-spi		1.9.18
➕	org.apache.maven.resolver/maven-resolver-transport-http		1.9.18
➕	org.apache.maven.resolver/maven-resolver-util		1.9.18
➕	org.apache.maven/maven-artifact		3.9.6
➕	org.apache.maven/maven-builder-support		3.9.6
➕	org.apache.maven/maven-model		3.9.6
➕	org.apache.maven/maven-model-builder		3.9.6
➕	org.apache.maven/maven-repository-metadata		3.9.6
➕	org.apache.maven/maven-resolver-provider		3.9.6
➕	org.bukkit/paper-api		1.21.11-R0.1-SNAPSHOT
➕	org.codehaus.plexus/plexus-interpolation		1.26
➕	org.codehaus.plexus/plexus-utils		3.5.1
			Added vulnerabilities (1):
➕	org.eclipse.sisu/org.eclipse.sisu.inject		0.9.0.M2
➕	org.jline/jline-native		3.27.1
➕	org.jline/jline-reader		3.20.0
➕	org.jline/jline-terminal		3.27.1
➕	org.jline/jline-terminal-ffm		3.27.1
➕	org.jline/jline-terminal-jni		3.27.1
➕	org.objectweb.asm.commons/asm-commons		9.8
➕	org.objectweb.asm.tree/asm-tree		9.8
➕	org.objectweb.asm/asm		9.8
➕	org.slf4j/jcl-over-slf4j		1.7.36
➕	org.spongepowered.configurate.yaml/configurate-yaml		4.2.0
➕	org.spongepowered.configurate/configurate-core		4.2.0
➕	org.xerial/sqlite-jdbc		3.49.1.0
➕	org.yaml/snakeyaml		2.2
➕	reflection-rewriter-proxy-generator/reflection-rewriter-proxy-generator		0.0.3
➕	reflection-rewriter-runtime/reflection-rewriter-runtime		0.0.3
➕	reflection-rewriter/reflection-rewriter		0.0.3
➕	spark-api/spark-api		0.1-20240720.200737-2
➕	spark-paper/spark-paper		1.10.152
➕	spec/spec		2.0.17
➕	srgutils/srgutils		1.0.9
➕	velocity-native/velocity-native		3.4.0-SNAPSHOT

[github-actions]

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test

digest	sha256:0f5f372484a22afed7ef08e101d9f9db9264054f6c83797a46360ad761a3c8a1
vulnerabilities
platform	linux/amd64
size	147 MB
packages	176

📦 Base Image alpine:3

also known as	3.23 3.23.3 latest
digest	sha256:59855d3dceb3ae53991193bd03301e082b2a7faa56a514b03527ae0ec2ce3a95
vulnerabilities

stdlib 1.24.4 (golang) pkg:golang/stdlib@1.24.4 Affected range <1.24.13 Fixed version 1.24.13 EPSS Score 0.018% EPSS Percentile 5th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.030% EPSS Percentile 9th percentile Description Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.023% EPSS Percentile 7th percentile Description The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.055% EPSS Percentile 17th percentile Description Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.025% EPSS Percentile 7th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.017% EPSS Percentile 4th percentile Description When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.044% EPSS Percentile 14th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.017% EPSS Percentile 4th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.034% EPSS Percentile 10th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.040% EPSS Percentile 12th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.039% EPSS Percentile 12th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.009% EPSS Percentile 1st percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.018% EPSS Percentile 5th percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.019% EPSS Percentile 5th percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.008% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.030% EPSS Percentile 9th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.016% EPSS Percentile 4th percentile Description If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.014% EPSS Percentile 3rd percentile Description CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.004% EPSS Percentile 0th percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.016% EPSS Percentile 4th percentile Description ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.009% EPSS Percentile 1st percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.021% EPSS Percentile 6th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 4th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.037% EPSS Percentile 11th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.031% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.022% EPSS Percentile 6th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.017% EPSS Percentile 4th percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.007% EPSS Percentile 1st percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

openssl 3.5.5-r0 (apk) pkg:apk/alpine/openssl@3.5.5-r0?os_name=alpine&os_version=3.23 Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.006% EPSS Percentile 0th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.043% EPSS Percentile 13th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.035% EPSS Percentile 10th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.085% EPSS Percentile 25th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.085% EPSS Percentile 25th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.034% EPSS Percentile 10th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.018% EPSS Percentile 5th percentile Description

google.golang.org/grpc 1.78.0 (golang) pkg:golang/google.golang.org/grpc@1.78.0 Improper Authorization Affected range <1.79.3 Fixed version 1.79.3 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.020% EPSS Percentile 5th percentile Description Impact What kind of vulnerability is it? Who is impacted? It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. Who is impacted? This affects gRPC-Go servers that meet both of the following criteria: They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx). Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server. Patches Has the problem been patched? What versions should users upgrade to? Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): v1.79.3 The latest master branch. It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash. 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

stdlib 1.25.7 (golang) pkg:golang/stdlib@1.25.7 Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.030% EPSS Percentile 9th percentile Description Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.023% EPSS Percentile 7th percentile Description The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.055% EPSS Percentile 17th percentile Description Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.025% EPSS Percentile 7th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.017% EPSS Percentile 4th percentile Description When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.019% EPSS Percentile 5th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.044% EPSS Percentile 14th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.016% EPSS Percentile 4th percentile Description If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.014% EPSS Percentile 3rd percentile Description CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.004% EPSS Percentile 0th percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.10 Fixed version 1.25.10 EPSS Score 0.016% EPSS Percentile 4th percentile Description ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.007% EPSS Percentile 1st percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

org.apache.commons/commons-compress 1.5 (maven) pkg:maven/org.apache.commons/commons-compress@1.5 Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.736% EPSS Percentile 73rd percentile Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.319% EPSS Percentile 80th percentile Description When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.740% EPSS Percentile 83rd percentile Description When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Excessive Iteration Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.191% EPSS Percentile 79th percentile Description When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.3 <1.26.0 Fixed version 1.26.0 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 5th percentile Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

golang.org/x/net 0.39.0 (golang) pkg:golang/golang.org/x/net@0.39.0 Affected range <0.53.0 Fixed version 0.53.0 EPSS Score 0.025% EPSS Percentile 7th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.011% EPSS Percentile 1st percentile Description The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.017% EPSS Percentile 4th percentile Description The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

musl 1.2.5-r21 (apk) pkg:apk/alpine/musl@1.2.5-r21?os_name=alpine&os_version=3.23 Affected range <1.2.5-r23 Fixed version 1.2.5-r23 EPSS Score 0.020% EPSS Percentile 6th percentile Description Affected range <1.2.5-r22 Fixed version 1.2.5-r22 EPSS Score 0.017% EPSS Percentile 4th percentile Description

golang.org/x/net 0.49.0 (golang) pkg:golang/golang.org/x/net@0.49.0 Affected range <0.53.0 Fixed version 0.53.0 EPSS Score 0.025% EPSS Percentile 7th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

go.opentelemetry.io/otel 1.40.0 (golang) pkg:golang/go.opentelemetry.io/otel@1.40.0 Uncontrolled Resource Consumption Affected range >=1.36.0 <=1.40.0 Fixed version 1.41.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.057% EPSS Percentile 18th percentile Description multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. severity HIGH (availability / remote request amplification) relevant links repository: https://github.com/open-telemetry/opentelemetry-go pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58 vulnerability details pins: open-telemetry/opentelemetry-go@1ee4a41 as-of: 2026-02-04 policy: direct (no program scope provided) callsite: propagation/baggage.go:58 (extractMultiBaggage) attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation root cause extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit). impact in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency. example from the attached PoC harness (darwin/arm64; 80 values; 40 requests): canonical: per_req_alloc_bytes=10315458 and p95_ms=7 control: per_req_alloc_bytes=133429 and p95_ms=0 proof of concept canonical: mkdir -p poc unzip poc.zip -d poc cd poc make test output (excerpt): [CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage [PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165 control: cd poc make control control output (excerpt): [NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480 expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget. actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes. fix recommendation avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total). fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms. poc.zip PR_DESCRIPTION.md

go.opentelemetry.io/otel/sdk 1.40.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.40.0 Untrusted Search Path Affected range >=1.15.0 <=1.42.0 Fixed version 1.43.0 CVSS Score 7.3 CVSS Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.009% EPSS Percentile 1st percentile Description Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/host_id.go line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator. Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems. Attack Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk Attacker places a malicious kenv binary earlier in $PATH Application initializes OpenTelemetry resource detection at startup hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, kenv is located at /bin/kenv.

org.codehaus.plexus/plexus-utils 3.5.1 (maven) pkg:maven/org.codehaus.plexus/plexus-utils@3.5.1 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <3.6.1 Fixed version 4.0.3 EPSS Score 0.273% EPSS Percentile 51st percentile Description Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

zlib 1.3.1-r2 (apk) pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.23 Affected range <1.3.2-r0 Fixed version 1.3.2-r0 EPSS Score 0.008% EPSS Percentile 1st percentile Description Affected range <1.3.2-r0 Fixed version 1.3.2-r0 EPSS Score 0.009% EPSS Percentile 1st percentile Description

commons-lang/commons-lang 2.6 (maven) pkg:maven/commons-lang/commons-lang@2.6 Uncontrolled Recursion Affected range >=2.0 <=2.6 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.135% EPSS Percentile 33rd percentile Description Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

busybox 1.37.0-r30 (apk) pkg:apk/alpine/busybox@1.37.0-r30?os_name=alpine&os_version=3.23 Affected range <=1.37.0-r30 Fixed version Not Fixed EPSS Score 0.051% EPSS Percentile 16th percentile Description

xz 5.8.2-r0 (apk) pkg:apk/alpine/xz@5.8.2-r0?os_name=alpine&os_version=3.23 Affected range <5.8.3-r0 Fixed version 5.8.3-r0 EPSS Score 0.060% EPSS Percentile 19th percentile Description

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud