GitHub
06/10/2025, 1:57 PMazuredevops/git_test.go
(link) which does not reflect that. And if you compare it to the Azure Devops documentation it's missing changeCounts
key.
To fix this, I updated the GitCommitDiffs
struct by changing the key to a string type, aligning it with other structs with changeCounts
key for consistency.
## tests
make test-all
went thru without errors. And thanks to @leonardocaylent for testing the new build with the change in his environment.
## references
runatlantis/atlantisGitHub
06/10/2025, 9:33 PM## CIRCL v1.6.1
• Fixes some point checks on the FourQ curve.
• Hybrid KEM fails on low-order points.
### What's Changed
• kem/hybrid: ensure X25519 hybrids fails with low order points by `@Lekensteyn` in cloudflare/circl#541
• .github: Use native ARM64 builders instead of QEMU by `@Lekensteyn` in cloudflare/circl#542
• Fixes several errors on twisted Edwards curves. by `@armfazh` in cloudflare/circl#545
• Release v1.6.1 by `@armfazh` in cloudflare/circl#546
Full Changelog: cloudflare/circl@v1.6.0...v1.6.1Commits • `c6d33e3` Release v1.6.1 • `0c3868e` curve4q: Shared must fail with low order points. • `9fd570d` curve4q: Test showing DH does not fails on identity point. • `c988ceb` fourq: Correctly unmarshalling point. • `ef2611d` fourq: Test showing point unmarshal fails. • `05eba44` fourq: Handle the case of Z=0 for IsOnCurve and IsEqual. • `eef0878` fourq: Test showing isEqual and IsOnCurve fail. • `2298474` goldilocks; Handling points with z=0. • `5a940a1` goldilocks: Test for IsEqual must fail with Z=0 • `48c3b6a` ed25519: Fix isEqual to handle points with Z=0. • Additional commits viewable in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/9998cfc587775338654e4edbcc339872b1e9819720cb57716380c4dd2d16b9ba/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d6769746875622e636f6d2f636c6f7564666c6172652f636972636c267061636b6167652d6d616e616765723d676f5f6d6f64756c65732670726576696f75732d76657273696f6e3d312e362e30266e65772d76657273696f6e3d312e362e31) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
• @dependabot rebase
will rebase this PR
• @dependabot recreate
will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge
will merge this PR after your CI passes on it
• @dependabot squash and merge
will squash and merge this PR after your CI passes on it
• @dependabot cancel merge
will cancel a previously requested merge and block automerging
• @dependabot reopen
will reopen this PR if it is closed
• @dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
runatlantis/atlantisAmit
06/11/2025, 8:33 AMGitHub
06/11/2025, 12:44 PMGitHub
06/13/2025, 2:14 AMisMinimized
attribute to avoid minimizing already minimized comments on each Atlantis command execution.
## why
This helps to avoid performance degradation by minimizing only non-minimized Atlantis comments, as opposed to processing all comments sequentially on each Atlantis command execution.
## tests
• I have tested my changes by running unit tests.
• I have tested my changes by running this version of Atlantis and checking if the --hide-prev-plan-comments performance still works in general and the performance degradation disappears.
## references
• Closes #5232
runatlantis/atlantisGitHub
06/16/2025, 7:46 AMfailed to build command: running git fetch origin pull/0/head:: fatal: couldn't find remote ref pull/0/head
• Updating clone logic to skip using HEAD^2 when using the checkout merge strategy whilst no PR number is specified. If a plan is triggered remotely on main for instance, this leads to 128 errors from git:
will re-clone repo, could not determine if was at correct commit: git rev-parse HEAD^2: exit status 128: fatal: ambiguous argument 'HEAD^2': unknown revision or path not in the working tree.
• Updating logic to skip making a VCS call when there isn't a pull request. This mitigates this error:
updating project PR status%!(EXTRA *github.ErrorResponse=POST <https://api.github.com/repos/<your-org>/<your-terraform-repo>/statuses/master>: 422 Validation Failed [{Resource:Status Field:sha Code:custom Message:sha must be a 40 character SHA1}])...
## why
This should fix the issue detailed in /api/plan throws 500 error when using GitHub App #4850
Per the docs, POSTs to /api/plan and /api/apply can optionally omit the PR parameter. Therefore, we should check to see if it's 0 before pivoting to a pull request based reference checkout.
We shouldn't make calls to VCS if there is no pull request to update statuses on. This leads to 422 errors that can be avoided.
## tests
Added a unit-test for the main fix of this work.
I also manually tested the use of ATLANTIS_CHECKOUT_STRATEGY=merge
in our internal systems. Our drift detection mechanism calls <ATLANTIS_URL>/api/plan
and looks into the output of the plans to make sure no changes are required.
## references
https://github.com/runatlantis/atlantis/blob/6fe0303279839faadb76e94de94d7c250876b336/runatlantis.io/docs/api-endpoints.md#post-apiplan
Should close #4850
runatlantis/atlantisGitHub
06/16/2025, 1:59 PMGitHub
06/17/2025, 11:54 AM#4318
, but you cannot see whether policies are active.
runatlantis/atlantisGitHub
06/17/2025, 2:22 PMGitHub
06/18/2025, 7:15 AMGitHub
06/18/2025, 7:16 AMGitHub
06/18/2025, 7:16 AMGitHub
06/18/2025, 7:17 AMGitHub
06/18/2025, 7:17 AMGitHub
06/18/2025, 7:17 AMGitHub
06/18/2025, 11:23 PMGitHub
06/19/2025, 9:50 PM--enable-plan-queue=true
### 2. Lock Retry Logic
• Automatic retry of lock acquisition with configurable delays
• Configurable attempts via --lock-retry-max-attempts=3
• Configurable delays via --lock-retry-delay=5
• Configurable via --enable-lock-retry=true
### 3. Enhanced Project Locking
• Memory-based locking to prevent race conditions
• Working directory protection to prevent premature cleanup
• Automatic cleanup of locks and protections
• Better error handling and user feedback
### 4. Queue Management
• Persistent queue state across server restarts
• Queue position tracking and notifications
• Automatic queue cleanup when PRs are closed
• Configurable queue behavior
## 🔧 Configuration
All new features are opt-in and can be enabled via command-line flags:
# Enable plan queue functionality
--enable-plan-queue=true
# Enable lock retry logic
--enable-lock-retry=true
# Configure retry attempts (default: 3)
--lock-retry-max-attempts=5
# Configure retry delay in seconds (default: 5)
--lock-retry-delay=10
## 📊 Performance Impact
• Minimal overhead when features are disabled (default)
• Efficient memory usage with configurable limits
• Non-blocking operations for better responsiveness
• Graceful degradation when features are unavailable
## 🧪 Testing
• Comprehensive unit tests for all new functionality
• Integration tests for queue and locking behavior
• Race condition tests to ensure thread safety
• Performance benchmarks for critical paths
## 📚 Documentation
• Updated server configuration documentation
• Usage examples and best practices
• Troubleshooting guide for common issues
• Migration guide for existing deployments
## 🔒 Security
• No breaking changes to existing security model
• Maintains existing authentication and authorization
• Audit trail for all queue and lock operations
• Configurable access controls for queue management
## 🚨 Breaking Changes
None - All new features are opt-in and disabled by default. Existing deployments will continue to work without any configuration changes.
## 🔗 Related Issues
This PR addresses several long-standing issues and builds upon previous work:
• ADR #3345 - Project Locks - Architecture decision for project-level locking
• PR #4997 - Lock Retry Logic - Previous implementation of lock retry functionality
• Issue #1914 - Workspace lock creation - Original issue about workspace locking behavior
• Issue #2200 - Lock creation for no apparent reason - Issue about unexpected lock creation
• Issue #3336 - Race condition between hooks and cleanup - Race condition issues in locking system
## 🎯 Future Enhancements
• Priority-based queuing for urgent changes
• Queue analytics and metrics
• Webhook integration for queue events
• Advanced scheduling algorithms
• Multi-region queue support
## 📝 Changelog
### Added
• Plan queue functionality with automatic lock transfer
• Lock retry logic with configurable attempts and delays
• Enhanced project locking with memory-based protection
• Working directory protection to prevent premature cleanup
• Comprehensive queue management and notifications
• New configuration flags for all features
### Changed
• Improved error handling and user feedback
• Better race condition prevention
• Enhanced logging for debugging
### Fixed
• Race conditions in lock acquisition
• Premature working directory cleanup
• Inconsistent lock behavior across concurrent operations
## 🤝 Contributing
This feature was developed with input from the Atlantis community and addresses real-world usage patterns. We welcome feedback and contributions to further improve the system.
runatlantis/atlantisGitHub
06/20/2025, 4:12 PMfunc (p *PullClosedExecutor) CleanUpPull
to use the updated definition of `PullInfo
## why
• see related issue
• this commit updated the definition of PullInfo
• PullInfo
wasn't updated in function used to cleanup job info, so matches were not found in the mapping
## tests
• tested in my local environment with PRs from Azure Devops
## references
• see issue
runatlantis/atlantisGitHub
06/25/2025, 5:19 PM<Badge text="v0.17.0" type="info"/>
)
• Covered flags from core features (v0.1.0+) to the latest features (v0.48.0+)
### Repo-Level atlantis.yaml Configuration
• Added version annotations to all configuration keys in the example
• Covered top-level keys, project-level keys, and specific features
• Included version information for features like:
• automerge
(v0.15.0+)
• `parallel_plan`/`parallel_apply` (v0.17.0+)
• autodiscover
(v0.18.0+)
• terraform_distribution
(v0.25.0+)
• And many more
### Analysis Document
• Created atlantis-features-version-analysis.md
with comprehensive feature analysis
• Documents all features and their introduction versions based on changelog analysis
## Benefits
• Users can now see exactly when each feature was introduced
• Migration planning becomes easier with clear version requirements
• Feature compatibility is immediately visible
• Documentation is more informative for users on different Atlantis versions
## Version Information Sources
The version annotations are based on:
1. CHANGELOG.md analysis
2. GitHub releases research
3. Merged PRs investigation
4. Code analysis for feature introduction points
This makes the documentation much more useful for users who need to understand feature availability across different Atlantis versions.
runatlantis/atlantisGitHub
06/26/2025, 12:04 AM.github/release.yml
file. The change removes the lock emoji from the "Security changes" section title for consistency with the other section titles.
runatlantis/atlantisGitHub
06/26/2025, 12:59 AMDisableIndentity
flag in the client options.
• Introducing DisableIdentity
flag in the client options.
• Updating the documentation related to the new flag and the one that was deprecated.
Full Changelog: redis/go-redis@v9.7.1...v9.7.3
### `v9.7.2`
Compare Source
### `v9.7.1`
Compare Source
### Changes
• Recognize byte slice for key argument in cluster client hash slot computation (#3049)
• fix(search&aggregate):fix error overwrite and typo #3220 (#3224)
• fix: linter configuration (#3279)
• fix(search): if ft.aggregate use limit when limitoffset is zero (#3275)
• Reinstate read-only lock on hooks access in dialHook to fix data race (#3225)
• fix: flaky ClientKillByFilter test (#3268)
• chore: fix some comments (#3226)
• fix(aggregate, search): ft.aggregate bugfixes (#3263)
• fix: add unstableresp3 to cluster client (#3266)
• Fix race condition in clusterNodes.Addrs() (#3219)
• SortByWithCount FTSearchOptions fix (#3201)
• Eliminate redundant dial mutex causing unbounded connection queue contention (#3088)
• Add guidance on unstable RESP3 support for RediSearch commands to README (#3177)
#### 🚀 New Features
• Add guidance on unstable RESP3 support for RediSearch commands to README (#3177)
#### 🐛 Bug Fixes
• fix(search): if ft.aggregate use limit when limitoffset is zero (#3275)
• fix: add unstableresp3 to cluster client (#3266)
• fix(aggregate, search): ft.aggregate bugfixes (#3263)
• SortByWithCount FTSearchOptions fix (#3201)
• Recognize byte slice for key argument in cluster client hash slot computation (#3049)
#### Contributors
We'd like to thank all the contributors who worked on this release!
@ofekshenawa, @Cgol9, @LINKIWI, @shawnwgit, @zhuhaicity, @bitsark, @vladvildanov, @ndyakov
Full Changelog: redis/go-redis@v9.7.0...v9.7.1
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
06/26/2025, 4:15 PMGitHub
06/26/2025, 8:00 PMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
#### References
• https://nvd.nist.gov/vuln/detail/CVE-2025-22872
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
• https://pkg.go.dev/vuln/GO-2025-3595
• https://security.netapp.com/advisory/ntap-20250516-0007
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
#### Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
#### Severity
Unknown
#### References
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the <https://developer.mend.io/github/runatlantis/atlantis|repository j…
runatlantis/atlantisGitHub
06/26/2025, 8:00 PM.env
, .env.*
, *.{crt,pem}
, **/.env
• Examples of other patterns: **/.git/**
, .git/**
, .git/**/*
### Details
`server.fs.deny` can contain patterns matching against files (by default it includes .env
, .env.*
, *.{crt,pem}
as such patterns).
These patterns were able to bypass for files under root
by using a combination of slash and dot (/.
).
### PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. <http://localhost:5173>
[image](https://camo.githubusercontent.com/0681fe273f64c4f05b177de25c9e98c65f18d2bd7f16cc39e7b10cb1bbdd34b2/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f38323266343431362d616134322d343631662d386339352d613838643135356536373462)
[image](https://camo.githubusercontent.com/e3e7a92dd6c590d0a2134c215b21095193a83d5673cd6067a5e30460ec230651/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f34323930323134342d383633612d346166622d616335622d666331366566666133376363)
---
### Vite bypasses server.fs.deny when using ?raw??
CVE-2025-30208 / GHSA-x574-m823-4x7w
More information
#### Details
##### Summary
The contents of arbitrary files can be returned to the browser.
##### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host
or `server.host` config option) are affected.
##### Details
@fs
denies access to files outside of Vite serving allow list. Adding ?raw??
or ?import&raw??
to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ?
are removed in several places, but are not accounted for in query string regexes.
##### PoC
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
##### expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"
<body>
<h1>403 Restricted</h1>
<p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.
##### security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
#### Severity
• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
#### References
• https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
• https://nvd.nist.gov/vuln/detail/CVE-2025-30208
• https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
• https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
• https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
• https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
• https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
• https://github.com/vitejs/vite
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Vite has a server.fs.deny
bypassed for inline
and raw
with ?import
query
CVE-2025-31125 / GHSA-4r4m-qw57-chr8
More information
#### Details
##### Summary
The contents of arbitrary files can be returned to the browser.
##### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host
or `server.host` config option) are affected.
##### Details
• base64 encoded content of non-allowed files is exposed using ?inline&import
(originally reported as ?import&?inline=1.wasm?init
)
• content of non-allowed files is exposed using ?raw?import
/@​fs/
isn't needed to reproduce the issue for files inside the proj…
runatlantis/atlantisGitHub
06/26/2025, 8:00 PMBearer
followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)
##### Details
See `parse.ParseUnverified`
##### Impact
Excessive memory allocation
#### Severity
• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
#### References
• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
• https://github.com/golang-jwt/jwt
• https://security.netapp.com/advisory/ntap-20250404-0002
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Release Notes
golang-jwt/jwt (github.com/golang-jwt/jwt/v4)
### `v4.5.2`
Compare Source
See GHSA-mh63-6h87-95cp
Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
06/26/2025, 8:00 PMBearer
followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)
##### Details
See `parse.ParseUnverified`
##### Impact
Excessive memory allocation
#### Severity
• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
#### References
• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
• https://github.com/golang-jwt/jwt
• https://security.netapp.com/advisory/ntap-20250404-0002
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Release Notes
golang-jwt/jwt (github.com/golang-jwt/jwt/v5)
### `v5.2.2`
Compare Source
#### What's Changed
• Fixed GHSA-mh63-6h87-95cp by @mfridman
• Fixed some typos by @Ashikpaul in https://github.com/golang-jwt/jwt/pull/382
• build: add go1.22 to ci workflows by @mfridman in https://github.com/golang-jwt/jwt/pull/383
• Bump golangci/golangci-lint-action from 4 to 5 by @dependabot in https://github.com/golang-jwt/jwt/pull/387
• Bump golangci/golangci-lint-action from 5 to 6 by @dependabot in https://github.com/golang-jwt/jwt/pull/389
• chore: bump ci tests to include go1.23 by @mfridman in https://github.com/golang-jwt/jwt/pull/405
• Fix jwt -show by @AlexanderYastrebov in https://github.com/golang-jwt/jwt/pull/406
• docs: typo by @kvii in https://github.com/golang-jwt/jwt/pull/407
• Update SECURITY.md by @oxisto in https://github.com/golang-jwt/jwt/pull/416
• Update jwt.Parse
example to use jwt.WithValidMethods
by @mattt in https://github.com/golang-jwt/jwt/pull/425
#### New Contributors
• @Ashikpaul made their first contribution in https://github.com/golang-jwt/jwt/pull/382
• @kvii made their first contribution in https://github.com/golang-jwt/jwt/pull/407
• @mattt made their first contribution in https://github.com/golang-jwt/jwt/pull/425
Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ *Rebasin…
runatlantis/atlantisGitHub
06/26/2025, 8:00 PMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
#### References
• https://nvd.nist.gov/vuln/detail/CVE-2025-22869
• https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22
• https://github.com/golang/crypto
• https://go-review.googlesource.com/c/crypto/+/652135
• https://go.dev/cl/652135
• https://go.dev/issue/71931
• https://pkg.go.dev/vuln/GO-2025-3487
• https://security.netapp.com/advisory/ntap-20250411-0010
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Potential denial of service in golang.org/x/crypto
CVE-2025-22869 / GHSA-hcg3-q754-cr77 / GO-2025-3487
More information
#### Details
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
#### Severity
Unknown
#### References
• https://go.dev/cl/652135
• https://go.dev/issue/71931
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
06/26/2025, 8:00 PMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
#### References
• https://nvd.nist.gov/vuln/detail/CVE-2025-22870
• https://go-review.googlesource.com/q/project:net
• https://go.dev/cl/654697
• https://go.dev/issue/71984
• https://pkg.go.dev/vuln/GO-2025-3503
• https://security.netapp.com/advisory/ntap-20250509-0007
• http://www.openwall.com/lists/oss-security/2025/03/07/2
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503
More information
#### Details
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
#### Severity
Unknown
#### References
• https://go.dev/cl/654697
• https://go.dev/issue/71984
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
---
### golang.org/x/net vulnerable to Cross-site Scripting
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
#### Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
#### Severity
• CVSS Score: Unknown
• Vector String: `CVSS4.0/AVN/ACL/ATN/PRN/UIP/VCN/VIN/VAN/SCL/…
runatlantis/atlantisGitHub
06/26/2025, 8:26 PMGitHub
06/26/2025, 8:36 PM