Skip to content

[GHSA-3wqc-mwfx-672p] Traefik affected by Go oauth2/jws Improper Validation of Syntactic Correctness of Input vulnerability #5808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[GHSA-3wqc-mwfx-672p] Traefik affected by Go oauth2/jws Improper Validation of Syntactic Correctness of Input vulnerability #5808

wants to merge 1 commit into from

Conversation

prabhu
Copy link

@prabhu prabhu commented Jul 15, 2025

Updates

  • Affected products

Comments
Based on https://osv.dev/vulnerability/GO-2025-3488.

Without explicit reference to golang.org/x/oauth2, some scanners are not reporting CVE-2025-22868 for oauth2.

@github
Copy link
Collaborator

github commented Jul 15, 2025

Hi there @emilevauge! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to prabhu/advisory-improvement-5808 July 15, 2025 09:19
@prabhu prabhu mentioned this pull request Jul 15, 2025
Open
@github-actions github-actions bot deleted the prabhu-GHSA-3wqc-mwfx-672p branch July 17, 2025 20:46
@helixplant helixplant restored the prabhu-GHSA-3wqc-mwfx-672p branch July 17, 2025 20:49
@helixplant
Copy link

Hi @prabhu,
We accidentally closed this PR in error, but please be assured we are still actively reviewing this issue. We will be sure to inform you when we have more information!

@shelbyc
Copy link
Contributor

shelbyc commented Jul 18, 2025

Hi @prabhu, GHSA-6v2p-p543-phr9 has been published so that golang.org/x/oauth2, the package in which CVE-2025-22868 originates, has its own advisory separate from Traefik's advisory about how CVE-2025-22868 affects their product. Thanks for raising golang.org/x/oauth2 to us and have a great weekend!

@shelbyc shelbyc deleted the prabhu-GHSA-3wqc-mwfx-672p branch July 18, 2025 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@prabhu @github @helixplant @shelbyc
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy