karma icon indicating copy to clipboard operation
karma copied to clipboard
verified publisher icon prymitive

Update dependencies (Security Compliancy)

Open galvesLoy opened this issue 2 months ago • 2 comments

Hi @prymitive, just saw you updated to 1.2.2 🧑‍🍳(Thanks) but we are getting a security scan that ask to update one of the package.

CVE: GO-2025-3770

And we got a patch ! It is possible to update it to 5.2.2 on the go.mod file ?

Thanks !

Full scan:

+--------------+----------+------+--------------------------+---------+----------------+------------+------------+------------+----------------------------------------------------+-------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | GRACE DAYS | DESCRIPTION | TRIGGERED FAILURE | +--------------+----------+------+--------------------------+---------+----------------+------------+------------+------------+----------------------------------------------------+-------------------+ | GO-2025-3770 | medium | 0.00 | github.com/go-chi/chi/v5 | v5.2.1 | fixed in 5.2.2 | > 3 months | < 1 hour | -63 | Host Header Injection which Leads to Open Redirect | Yes | | | | | | | > 3 months ago | | | | in RedirectSlashes in github.com/go-chi/chi | | +--------------+----------+------+--------------------------+---------+----------------+------------+------------+------------+----------------------------------------------------+-------------------+

galvesLoy avatar Oct 30 '25 16:10 galvesLoy

That's a false positive, RedirectSlashes isn't used anywhere in karma

prymitive avatar Oct 30 '25 21:10 prymitive

Thank you for your answer, I created a change to fix the security update even if we don't use RedirectSlashes as it is minor change.

galvesLoy avatar Oct 31 '25 14:10 galvesLoy