New release with vulnerability fixes

[marcelo-sobreira]

trafficstars

The fixes for CVE-2025-27144 and CVE-2025-22870 are merged. Can we get a new release with the fixes integrated?

[ahmetb]

None of these bugs realistically impact this project. This is an endless cycle of just human toil. I recommend you start suppressing these. I assume this tool doesn't touch internet or user input for you at all. So these fixes aren't warranted.

[fegmorte]

When you want to build docker images with zero vulnerabilites it could be kind to release version with theses fixes couldn't it ?

[versegeek]

you can refer to this workaround. #250

[ahbonsu]

None of these bugs realistically impact this project. This is an endless cycle of just human toil. I recommend you start suppressing these. I assume this tool doesn't touch internet or user input for you at all. So these fixes aren't warranted.

You're right. But unfortunately, there are scans that aren't as versatile and cannot ignore this vulnerability in this binary only :( So it would be great if we could use an official release without our own builds - a new release would be highly appreciated. Thank you very much!

[igormpmartins]

Is there any planned release date for a new version? The main branch has some security fixes that we are looking for.

[mstuy]

https://github.com/grpc-ecosystem/grpc-health-probe/pull/251 Also the above is required for CVE-2025-22872

[stefanb]

A new release 0.4.38 was released yesterday, including fixes for all CVEs listed above, namely:

• CVE-2025-27144 in #241
• CVE-2025-22870 in #245
• CVE-2025-22872 in #251 ...and all other currently publicly known security issues.

See https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.4.38

[igormpmartins]

Thanks so much, that will solve our issues.