Security: Kafka-exporter image contains 1 Critical and multiple High Go stdlib vulnerabilities

[pkar-hue]

Hello Maintainers,

We are currently using the danielqsj/kafka-exporter Docker image and observed multiple security vulnerabilities during our container vulnerability scan.

Summary

• Image: danielqsj/kafka-exporter
• Scan Result: 1 Critical and multiple High vulnerabilities
• Category: Go stdlib / golang.org/x modules
• Go Version Detected: go1.24.0

Observed Vulnerabilities

• CRITICAL

  • CVE-2025-22871 (Go stdlib – net/http)

• HIGH

  • CVE-2025-22874
  • CVE-2025-4674
  • CVE-2025-47907
  • CVE-2025-58187
  • CVE-2025-58188
  • CVE-2025-61723
  • CVE-2025-61725
  • CVE-2025-61729

These vulnerabilities appear to be addressed in newer Go patch releases (>= 1.24.11).

Request

Could you please confirm:

1. Whether a new image will be released with an updated Go version
2. Any recommended mitigation or timeline for addressing these vulnerabilities

This would help us plan upgrades and comply with internal security requirements.

Thank you for maintaining this project.

[pkar-hue]

Hi Maintainers,
Any latest on this ?

Thanks

[gwenael-lebarzic]

Hello, I just +1 to this issue, is it possible to have a new version of kafka_exporter at least without the CVE HIGH and CRITICAL ?

Path	Type	Package	Installed Version	CVE	Severity	Statut	Fix	Title
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2025-68121	CRITICAL	fixed	1.24.13, 1.25.7, 1.26.0-rc.3	Unexpected session resumption in crypto/tls
opt/kafka-exporter/kafka_exporter	gobinary	golang.org/x/crypto	v0.32.0	CVE-2025-22869	HIGH	fixed	0.35.0	Denial of Service in the key exchange of golang.org/x/crypto/ssh
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2025-22874	HIGH	fixed	1.24.4	Usage of ExtKeyUsageAny disables policy validation in crypto/x509
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2025-47907	HIGH	fixed	1.23.12, 1.24.6	Postgres Scan Race Condition
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2025-58183	HIGH	fixed	1.24.8, 1.25.2	Unbounded allocation when parsing GNU sparse map
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2025-61726	HIGH	fixed	1.24.12, 1.25.6	Memory exhaustion in query parameter parsing in net/url
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2025-61728	HIGH	fixed	1.24.12, 1.25.6	Excessive CPU consumption in archive/zip
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2025-61729	HIGH	fixed	1.24.11, 1.25.5	Excessive resource consumption in crypto/x509
opt/kafka-exporter/kafka_exporter	gobinary	stdlib	v1.24.0	CVE-2026-25679	HIGH	fixed	1.25.8, 1.26.1	Incorrect parsing of IPv6 host literals in net/url