K8s.io/Client-go-v0.32.2: 2 Vulnerabilities (highest Severity Is: 7.5)

k8s.io/Client-go-v0.32.2: 2 Vulnerabilities (Highest Severity is: 7.5)

Introduction

The k8s.io/Client-go-v0.32.2 library has been identified as having two vulnerabilities, with the highest severity being 7.5. These vulnerabilities can potentially allow an attacker to pass a malicious malformed token, causing unexpected memory consumption during parsing. In this article, we will delve into the details of these vulnerabilities, including the affected libraries, vulnerability details, and suggested fixes.

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (k8s.io/Client-go-v0.32.2 version)	Remediation Possible
CVE-2025-22868	High	7.5	golang.org/x/oauth2-v0.23.0	Transitive	N/A*	❌
CVE-2025-22870	Medium	5.5	golang.org/x/net-v0.33.0	Transitive	N/A*	❌

For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2025-22868

Vulnerable Library - golang.org/x/oauth2-v0.23.0

Library home page: https://proxy.golang.org/golang.org/x/oauth2/@v/v0.23.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/oauth2/@v/v0.23.0.mod

Dependency Hierarchy:

• k8s.io/Client-go-v0.32.2 (Root Library)
  • :x: golang.org/x/oauth2-v0.23.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Publish Date: 2025-02-26

URL: CVE-2025-22868

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2025-3488

Release Date: 2025-02-26

Fix Resolution: v0.27.0

CVE-2025-22870

Vulnerable Library - golang.org/x/net-v0.33.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.33.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.33.0.mod

Dependency Hierarchy:

• k8s.io/Client-go-v0.32.2 (Root Library)
  • :x: golang.org/x/net-v0.33.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Go net/http, x/net/proxy, x/net/http/httpproxy there is a proxy bypass vulnerability using IPv6 zone IDs. Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied. This affects versions before 1.23.7 and 1.24.x before 1.24.1.

Publish Date: 2025-03-08

URL: CVE-2025-22870

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-03-08

Fix Resolution: go1.24.1

Conclusion

The k8s.io/Client-go-v0.32.2 library has been identified as having two vulnerabilities, with the highest severity being 7.5. These vulnerabilities can potentially allow an attacker to pass a malicious malformed token, causing unexpected memory consumption during parsing. It is essential to upgrade the affected libraries to the latest versions to mitigate these vulnerabilities. We recommend upgrading golang.org/x/oauth2 to version v0.27.0 and golang.org/x/net to version go1.24.1.

Step up your Open Source Security Game with Mend

To stay ahead of the game, it is crucial to have a robust open-source security strategy in place. Mend offers a comprehensive solution to help you identify and fix vulnerabilities in your open-source dependencies. With Mend, you can:

• Identify vulnerabilities in your open-source dependencies
• Prioritize and remediate vulnerabilities based on severity and risk
• Automate vulnerability fixes and updates
• Integrate with your existing CI/CD pipelines

Learn more about Mend's full solution for open-source security here.
k8s.io/Client-go-v0.32.2: 2 Vulnerabilities (Highest Severity is: 7.5) - Q&A

Introduction

The k8s.io/Client-go-v0.32.2 library has been identified as having two vulnerabilities, with the highest severity being 7.5. These vulnerabilities can potentially allow an attacker to pass a malicious malformed token, causing unexpected memory consumption during parsing. In this Q&A article, we will address some of the most frequently asked questions about these vulnerabilities.

Q: What are the two vulnerabilities in k8s.io/Client-go-v0.32.2?

A: The two vulnerabilities in k8s.io/Client-go-v0.32.2 are:

1. CVE-2025-22868: A high-severity vulnerability that allows an attacker to pass a malicious malformed token, causing unexpected memory consumption during parsing.
2. CVE-2025-22870: A medium-severity vulnerability that affects the proxy bypass functionality in Go net/http, x/net/proxy, and x/net/http/httpproxy.

Q: What is the impact of these vulnerabilities?

A: The impact of these vulnerabilities is significant. An attacker can potentially exploit these vulnerabilities to cause unexpected memory consumption during parsing, leading to a denial-of-service (DoS) attack. Additionally, the proxy bypass vulnerability can allow an attacker to bypass security measures and access sensitive data.

Q: How can I identify if my project is affected by these vulnerabilities?

A: To identify if your project is affected by these vulnerabilities, you can use the following steps:

1. Check the dependencies in your project's go.mod file.
2. Use a vulnerability scanner, such as Mend, to scan your project's dependencies for known vulnerabilities.
3. Check the version of the affected libraries in your project's go.mod file.

Q: How can I remediate these vulnerabilities?

A: To remediate these vulnerabilities, you can follow these steps:

1. Upgrade the affected libraries to the latest versions.
2. Use a vulnerability scanner, such as Mend, to identify and fix vulnerabilities in your project's dependencies.
3. Integrate with your existing CI/CD pipelines to automate vulnerability fixes and updates.

Q: What is the recommended fix for CVE-2025-22868?

A: The recommended fix for CVE-2025-22868 is to upgrade golang.org/x/oauth2 to version v0.27.0.

Q: What is the recommended fix for CVE-2025-22870?

A: The recommended fix for CVE-2025-22870 is to upgrade golang.org/x/net to version go1.24.1.

Q: Can I use a vulnerability scanner to identify and fix these vulnerabilities?

A: Yes, you can use a vulnerability scanner, such as Mend, to identify and fix these vulnerabilities. Mend offers a comprehensive solution to help you identify and fix vulnerabilities in your open-source dependencies.

Q: How can I integrate with my existing CI/CD pipelines to automate vulnerability fixes and updates?

A: To integrate with your existing CI/CD pipelines, you can use a vulnerability scanner, such as Mend, to automate vulnerability fixes and updates. Mend offers a comprehensive solution to help you integrate with your existing CI/CD pipelines.

Conclusion

The k8s.io/Client-go-v0.32.2 library has been identified as having two vulnerabilities, with the highest severity being 7.5. These vulnerabilities can potentially allow an attacker to pass a malicious malformed token, causing unexpected memory consumption during parsing. It is essential to upgrade the affected libraries to the latest versions to mitigate these vulnerabilities. We recommend upgrading golang.org/x/oauth2 to version v0.27.0 and golang.org/x/net to version go1.24.1.

Step up your Open Source Security Game with Mend

To stay ahead of the game, it is crucial to have a robust open-source security strategy in place. Mend offers a comprehensive solution to help you identify and fix vulnerabilities in your open-source dependencies. With Mend, you can:

• Identify vulnerabilities in your open-source dependencies
• Prioritize and remediate vulnerabilities based on severity and risk
• Automate vulnerability fixes and updates
• Integrate with your existing CI/CD pipelines

Learn more about Mend's full solution for open-source security here.