Skip to content

Security: Fix CVE-2025-22868 (golang.org/x/oauth2)#2813

Closed
theakshaypant wants to merge 1 commit into
release-v0.27.xfrom
fix/cve-2025-22868-x-oauth2-release-v0.27.x-attempt-1
Closed

Security: Fix CVE-2025-22868 (golang.org/x/oauth2)#2813
theakshaypant wants to merge 1 commit into
release-v0.27.xfrom
fix/cve-2025-22868-x-oauth2-release-v0.27.x-attempt-1

Conversation

@theakshaypant

Copy link
Copy Markdown
Member

Summary

This PR fixes CVE-2025-22868 by upgrading golang.org/x/oauth2 from v0.18.0 to v0.27.0.

CVE Details

  • CVE ID: CVE-2025-22868
  • Package: golang.org/x/oauth2
  • Severity: High (CVSS 7.5)
  • Impact: Unexpected memory consumption during token parsing — a crafted OAuth2 token response causes unbounded memory growth, enabling denial of service against services that parse untrusted tokens.
  • Vulnerable versions: < v0.27.0
  • Fixed version: v0.27.0

Changes

  • Upgraded golang.org/x/oauth2 v0.18.0 → v0.27.0
  • Removed transitive dependency on google.golang.org/appengine (dropped in oauth2 v0.21.0) — removes ~9,900 lines from vendor
  • Run go mod tidy && go mod vendor to update lockfiles
  • Note: go directive bumped 1.21 → 1.23.0 (minimum required by oauth2 v0.27.0)

Test Results

Status: ✅ Build passed

Build:go build ./... succeeded
Post-fix scan:govulncheck — GO-2025-3488 (CVE-2025-22868) no longer detected

Breaking Changes

  • go directive bumped: go 1.21go 1.23.0 (required by oauth2 v0.27.0 dependency chain)
  • No API changes to the oauth2 package for APIs used in this repository

Verification Checklist

  • CVE confirmed present before fix (GO-2025-3488 detected by govulncheck)
  • golang.org/x/oauth2 upgraded to v0.27.0
  • go mod vendor updated
  • go build ./... passes
  • Post-fix govulncheck confirms CVE-2025-22868 no longer detected
  • CI passes

Risk Assessment

Low-Medium — oauth2 v0.27.0 is backward compatible for all APIs used in this repo. The go directive bump to 1.23.0 increases the minimum required Go toolchain but is a necessary side-effect of the CVE fix dependency chain.


🤖 Generated by CVE Fixer Workflow

- Upgrade golang.org/x/oauth2 from v0.18.0 to v0.27.0
- Fixes CVE-2025-22868 (HIGH 7.5): Unexpected memory consumption
  during token parsing in golang.org/x/oauth2
- Removes transitive dependency on google.golang.org/appengine
  (dropped in oauth2 v0.21.0) — cleans up 9k+ lines from vendor
- Run go mod tidy && go mod vendor to update dependencies
- Post-fix govulncheck confirms GO-2025-3488 resolved
- Note: go directive bumped 1.21 => 1.23.0 (required by oauth2 v0.27.0)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@linux-foundation-easycla

Copy link
Copy Markdown

CLA Missing ID

  • ❌ The email address for the commit (40c7e48) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Go version to 1.23.0, upgrades the golang.org/x/oauth2 dependency, and removes the unused google.golang.org/appengine dependency. The review feedback correctly highlights that updating the Go version in go.mod without corresponding updates in the Dockerfile and Makefile will lead to build inconsistencies and potential CI failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread go.mod
module github.com/openshift-pipelines/pipelines-as-code

go 1.21
go 1.23.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Bumping the Go version to 1.23.0 in go.mod creates an inconsistency with the rest of the repository. Specifically, Dockerfile still uses golang:1.21 as the builder image, and Makefile defines GO_TOOLCHAIN ?= go1.21.13. This mismatch will cause build failures in Docker-based builds and CI pipelines. Please update the Go version in Dockerfile and Makefile to 1.23 to match go.mod.

References
  1. The go directive in go.mod can include specific patch versions when automatically updated by go mod tidy to align with dependencies.

@theakshaypant theakshaypant marked this pull request as draft June 30, 2026 09:22
@theakshaypant theakshaypant deleted the fix/cve-2025-22868-x-oauth2-release-v0.27.x-attempt-1 branch July 6, 2026 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant