dbmate stdlib needs to be bumped to non-vulnerable version

Library Vulnerability Severity Status Installed Version Fixed Version Title

stdlib CVE-2025-22874 HIGH fixed v1.24.3 1.24.4 crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509
https://avd.aquasec.com/nvd/cve-2025-22874

CVE-2025-47907 1.23.12, 1.24.6 database/sql: Postgres Scan Race Condition
https://avd.aquasec.com/nvd/cve-2025-47907

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
stdlib	CVE-2025-22874	HIGH	fixed	v1.24.3	1.24.4	crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509 https://avd.aquasec.com/nvd/cve-2025-22874
	CVE-2025-47907				1.23.12, 1.24.6	database/sql: Postgres Scan Race Condition https://avd.aquasec.com/nvd/cve-2025-47907

The dbmate developers stated in their release notes (MR/PR/Changelog) for version 2.28.0 that they had upgraded the Go dependency to version 1.24.5. This new version likely fixes the security issue.

The actual release of dbmate 2.28.0 was built with the older, vulnerable Go version 1.24.3.

Sep 08 '25 21:09 GeorgeNav

The actual release of dbmate 2.28.0 was built with the older, vulnerable Go version 1.24.3.

Interesting and surprising, thanks for pointing this out.

$ curl -sLO https://github.com/amacneil/dbmate/releases/download/v2.28.0/dbmate-macos-amd64
$ ls -l dbmate-macos-amd64
-rw-r--r--  1 dossy  staff  32538752 Sep  9 00:28 dbmate-macos-amd64
$ sha1sum dbmate-macos-amd64
8915ddf1fdc776e5ba996ceeb114b1e710027d39  dbmate-macos-amd64
$ go version -m dbmate-macos-amd64 | head -1
dbmate-macos-amd64: go1.24.3

I guess the Go Toolchain documentation that states that "the go command uses its own bundled toolchain when that toolchain is at least as new as the go or toolchain lines in the main module or workspace" may not be the case? No, that can't be.

Because while our go.mod does list toolchain go1.24.3 at the moment, our Dockerfile does use golang:1.24.5 as its base image, but our binary releases uses GitHub Actions actions/setup-go@v5 with go-version-file: go.mod which uses the toolchain line from go.mod to decide which version of Go to install, which is why the binary releases are built with Go 1.24.3, still.

The Docker image build of dbmate 2.28.0 does use the Go 1.24.5 toolchain, though:

$ docker run --rm --entrypoint /bin/sh amacneil/dbmate:2.28.0 -c 'apk add go >/dev/null; go version -m /usr/local/bin/dbmate | head -1' amacneil/dbmate:2.28.0
/usr/local/bin/dbmate: go1.24.5

We'll need to bump the toolchain version in go.mod to get the binary releases to build with the proper Go version, though.

Sep 09 '25 04:09 dossy

That makes sense. Thank you!

Sep 23 '25 20:09 GeorgeNav

Any chance that PR could get finished? We may have just had a hack...

Dec 08 '25 04:12 redaikidoka