VULN UPGRADE: major upgrades — 4 packages (unstable: 3 · minor: 1)

[campaigner-prod]

Summary: Critical-severity security update — 4 packages upgraded (MAJOR changes included)

Manifests changed:

• . (go)

Updates

Package	From	To	Type	Vulnerabilities Fixed
golang.org/x/crypto	v0.11.0	v0.47.0	major	3 CRITICAL, 2 HIGH, 5 MODERATE, 4 MEDIUM, 1 UNKNOWN
github.com/secure-systems-lab/go-securesystemslib	v0.7.0	v0.10.0	major	-
golang.org/x/term	v0.10.0	v0.39.0	major	-
github.com/stretchr/testify	v1.8.4	v1.11.1	minor	-

Packages marked with "-" are updated due to dependency constraints.

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	GHSA-v778-237x-gjrc	CRITICAL	Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto	v0.11.0	0.31.0
golang.org/x/crypto	CVE-2024-45337	critical	-	v0.11.0	-
golang.org/x/crypto	GO-2024-3321	critical	Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto	v0.11.0	0.31.0
golang.org/x/crypto	GHSA-hcg3-q754-cr77	HIGH	golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange	v0.11.0	0.35.0
golang.org/x/crypto	GO-2025-3487	HIGH	Potential denial of service in golang.org/x/crypto	v0.11.0	0.35.0

ℹ️ Other Vulnerabilities (10)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	GO-2025-4135	medium	Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent	v0.11.0	0.45.0
golang.org/x/crypto	CVE-2025-47914	medium	-	v0.11.0	-
golang.org/x/crypto	GO-2023-2402	medium	Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto	v0.11.0	0.17.0
golang.org/x/crypto	CVE-2023-48795	medium	-	v0.11.0	-
golang.org/x/crypto	GHSA-45x7-px36-x8w8	MODERATE	Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin	v0.11.0	0.17.0
golang.org/x/crypto	GHSA-j5w8-q4qc-rx2x	MODERATE	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	v0.11.0	0.45.0
golang.org/x/crypto	GHSA-f6x5-jh6r-wrfv	MODERATE	golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	v0.11.0	0.45.0
golang.org/x/crypto	GO-2025-4134	MODERATE	Unbounded memory consumption in golang.org/x/crypto/ssh	v0.11.0	0.45.0
golang.org/x/crypto	CVE-2025-58181	MODERATE	-	v0.11.0	-
golang.org/x/crypto	GO-2025-4116	unknown	Potential denial of service in golang.org/x/crypto/ssh/agent	v0.11.0	0.43.0

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System