Resolve Vulncheck GO-2025 4006 to 4015

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • 🔵 Done
    • Go Drivers
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Detailed steps to reproduce the problem?

      The govulncheck static analysis task fails (e.g.) due to the following reported vulnerabilities:

      https://pkg.go.dev/vuln/GO-2025-4006 (CVE-2025-61725)
      https://pkg.go.dev/vuln/GO-2025-4007 (CVE-2025-58187)
      https://pkg.go.dev/vuln/GO-2025-4008 (CVE-2025-58189)
      https://pkg.go.dev/vuln/GO-2025-4009 (CVE-2025-61723)
      https://pkg.go.dev/vuln/GO-2025-4010 (CVE-2025-47912)
      https://pkg.go.dev/vuln/GO-2025-4011 (CVE-2025-58185)
      https://pkg.go.dev/vuln/GO-2025-4012 (CVE-2025-58186)
      https://pkg.go.dev/vuln/GO-2025-4013 (CVE-2025-58188)
      https://pkg.go.dev/vuln/GO-2025-4014 (CVE-2025-58183)
      https://pkg.go.dev/vuln/GO-2025-4015 (CVE-2025-61724)

      Definition of done: what must be done to consider the task complete?

      Presumably, dependabot will open pull requests to resolve the underlying CVEs. However, go1.19 hasn't received security updates in over a year and has been unmaintained for 3 years. All vulnerabilities have the following affected Go versions:

      before go1.24.8, from go1.25.0 before go1.25.2

      We should upgrade the CI to use go1.25.3. Additionally, we should create "Security Policy" section of the README.md or standalone SECURITY.md file that recommends users build with go1.25.3 or higher.

      The exact Go version used, with patch level:

      go version go1.25.0 darwin/arm64

      The exact version of the Go driver used:

      master

      Describe how MongoDB is set up. Local vs Hosted, version, topology, load balanced, etc.

      NA

      The operating system and version (e.g. Windows 7, OSX 10.8, ...)

      macOS 15.7.2 (24G325)

      Security Vulnerabilities

      See description

            Assignee:
            Preston Vasquez
            Reporter:
            Preston Vasquez
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: