🔐 Security Review: Multiple CVEs Affecting Go Standard Library (Temporal CLI)

### Description

Several security vulnerabilities (CVEs) affecting the Go standard library have been identified.  
We would like to confirm whether **Temporal CLI** is impacted by these CVEs and whether any remediation (Go version upgrade, patch, or mitigation) is planned or already applied.

This issue aligns with the security review performed for Temporal core:  
**Reference:** https://github.com/temporalio/temporal/issues/8698

---

### 📌 Identified CVEs

| CVE ID | Description |
|------|------------|
| CVE-2025-47912 | `Parse()` incorrectly allows non-IPv6 values inside square brackets in URL host (RFC 3986 violation). |
| CVE-2025-58185 | Malicious DER payloads may allocate excessive memory, leading to memory exhaustion. |
| CVE-2025-58186 | Unlimited cookie parsing may result in high memory usage when many small cookies are sent. |
| CVE-2025-58187 | Name constraint checking scales non-linearly with certificate size, causing performance impact. |
| CVE-2025-58188 | DSA-based certificate validation may cause program panic due to unsafe interface casting. |
| CVE-2025-58189 | `Conn.Handshake` may leak attacker-controlled ALPN protocol values without escaping. |
| CVE-2025-61724 | `Reader.ReadResponse()` uses repeated string concatenation, leading to high CPU usage. |
| CVE-2025-61725 | `ParseAddress()` repeatedly concatenates domain literals, causing CPU performance degradation. |

---

### ➕ Additional CVEs Observed

- CVE-2025-47910  
- CVE-2025-47914  
- CVE-2025-58181  
- CVE-2025-58183  
- CVE-2025-61723  
- CVE-2025-61727  
- CVE-2025-61729  
- CVE-2025-14986  
- CVE-2025-14987  

---

### 🧪 Suggested Areas to Review

- Go runtime and standard library usage in Temporal CLI
- HTTP, TLS, certificate parsing, and URL parsing code paths
- Dependencies that rely on Go standard library behavior

**Observed Go Version:** `1.25.0`  
**Recommended Version (per advisories):** `>= 1.25.3` (or later patched release)

---

### ✅ Expected Outcome

- Confirm whether Temporal CLI is affected by the listed CVEs
- Identify the minimum safe Go version
- Apply Go version bump or mitigations if required
- Document resolution and link fixing commits or PRs

---

### 📎 References

- Go Security Advisories  
- Temporal core security issue: https://github.com/temporalio/temporal/issues/8698


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🔐 Security Review: Multiple CVEs Affecting Go Standard Library (Temporal CLI) #923

Description

📌 Identified CVEs

➕ Additional CVEs Observed

🧪 Suggested Areas to Review

✅ Expected Outcome

📎 References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE ID	Description
CVE-2025-47912	`Parse()` incorrectly allows non-IPv6 values inside square brackets in URL host (RFC 3986 violation).
CVE-2025-58185	Malicious DER payloads may allocate excessive memory, leading to memory exhaustion.
CVE-2025-58186	Unlimited cookie parsing may result in high memory usage when many small cookies are sent.
CVE-2025-58187	Name constraint checking scales non-linearly with certificate size, causing performance impact.
CVE-2025-58188	DSA-based certificate validation may cause program panic due to unsafe interface casting.
CVE-2025-58189	`Conn.Handshake` may leak attacker-controlled ALPN protocol values without escaping.
CVE-2025-61724	`Reader.ReadResponse()` uses repeated string concatenation, leading to high CPU usage.
CVE-2025-61725	`ParseAddress()` repeatedly concatenates domain literals, causing CPU performance degradation.

🔐 Security Review: Multiple CVEs Affecting Go Standard Library (Temporal CLI) #923

Description

Description

📌 Identified CVEs

➕ Additional CVEs Observed

🧪 Suggested Areas to Review

✅ Expected Outcome

📎 References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions