Skip to content

deps(deps): update davidanson/markdownlint-cli2-action action to v24#124

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/davidanson-markdownlint-cli2-action-24.x
Open

deps(deps): update davidanson/markdownlint-cli2-action action to v24#124
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/davidanson-markdownlint-cli2-action-24.x

Conversation

@renovate

@renovate renovate Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
DavidAnson/markdownlint-cli2-action action major v20.0.0v24.0.0

Release Notes

DavidAnson/markdownlint-cli2-action (DavidAnson/markdownlint-cli2-action)

v24.0.0: Update markdownlint-cli2 version (markdownlint-cli2 v0.23.0, markdownlint v0.41.0).

Compare Source

v24

Compare Source

v23.2.0: Add package-lock.json.

Compare Source

v23.1.0: Update markdownlint-cli2 version (markdownlint-cli2 v0.22.1, markdownlint v0.40.0).

Compare Source

v23.0.0: Update markdownlint-cli2 version (markdownlint-cli2 v0.22.0, markdownlint v0.40.0), update Node.js dependency to 24.

Compare Source

v23

Compare Source

v22.0.0: Update markdownlint version (markdownlint-cli2 v0.20.0, markdownlint v0.40.0).

Compare Source

v22

Compare Source

v21.0.0: Update markdownlint version (markdownlint-cli2 v0.19.0, markdownlint v0.39.0).

Compare Source

v21

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) July 4, 2026 01:58
@renovate renovate Bot requested a review from lotyp as a code owner July 4, 2026 01:58
@github-actions github-actions Bot added the type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci) label Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:3685fd75e664cf9018b11b32e67fd73f55a0661e427990be89a95632bf006ff6
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size120 MB
packages253
📦 Base Image php:8.4-alpine
also known as
  • 8.4-alpine3.24
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.24
  • 8.4.23-alpine
  • 8.4.23-alpine3.24
  • 8.4.23-cli-alpine
  • 8.4.23-cli-alpine3.24
digestsha256:dfdfa6b3a505d58103fbad3de655dec3423963772a42c8ddbdddd6d3a050c724
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.4-alpine

Name8.4.23-alpine3.24
Digestsha256:dfdfa6b3a505d58103fbad3de655dec3423963772a42c8ddbdddd6d3a050c724
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size42 MB
Packages60
Flavoralpine
OS3.24
Runtime8.4.23
The base image is also available under the supported tag(s): 8.4-alpine3.24, 8.4-cli-alpine, 8.4-cli-alpine3.24, 8.4.23-alpine, 8.4.23-alpine3.24, 8.4.23-cli-alpine, 8.4.23-cli-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.5-alpine
Minor runtime version update
Also known as:
  • 8.5.7-cli-alpine
  • 8.5.7-cli-alpine3.24
  • 8.5-cli-alpine
  • 8.5-cli-alpine3.24
  • 8-cli-alpine
  • 8-cli-alpine3.24
  • cli-alpine
  • cli-alpine3.24
  • alpine
  • alpine3.24
  • 8.5.7-alpine
  • 8.5.7-alpine3.24
  • 8.5-alpine3.24
  • 8-alpine
  • 8-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image contains 1 fewer package
  • Image has similar size
  • Image has same number of vulnerabilities
Image details:
  • Size: 45 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.5.7
2 weeks ago



@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:8936e416c4f98fdfb53a4c2c3c84fe8b4876b4250c6e09a9b1f8c50d877c44cb
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size115 MB
packages253
📦 Base Image php:8.3-alpine
also known as
  • 8.3-alpine3.24
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.24
  • 8.3.32-alpine
  • 8.3.32-alpine3.24
  • 8.3.32-cli-alpine
  • 8.3.32-cli-alpine3.24
digestsha256:d2e13c5b28b4594f75dbd1af9cb61b8ec10d9341618f1a0ccb7276bb931e883b
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:35e4949820e2b5e9b582f8ff5596792ed1174f67252a0264fb071bdca30c5f33
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size135 MB
packages283
📦 Base Image php:8.3-alpine
also known as
  • 8.3-alpine3.24
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.24
  • 8.3.32-alpine
  • 8.3.32-alpine3.24
  • 8.3.32-cli-alpine
  • 8.3.32-cli-alpine3.24
digestsha256:d2e13c5b28b4594f75dbd1af9cb61b8ec10d9341618f1a0ccb7276bb931e883b
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name8.3.32-alpine3.24
Digestsha256:d2e13c5b28b4594f75dbd1af9cb61b8ec10d9341618f1a0ccb7276bb931e883b
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size38 MB
Packages60
Flavoralpine
OS3.24
Runtime8.3.32
The base image is also available under the supported tag(s): 8.3-alpine3.24, 8.3-cli-alpine, 8.3-cli-alpine3.24, 8.3.32-alpine, 8.3.32-alpine3.24, 8.3.32-cli-alpine, 8.3.32-cli-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.5-alpine
Minor runtime version update
Also known as:
  • 8.5.7-cli-alpine
  • 8.5.7-cli-alpine3.24
  • 8.5-cli-alpine
  • 8.5-cli-alpine3.24
  • 8-cli-alpine
  • 8-cli-alpine3.24
  • cli-alpine
  • cli-alpine3.24
  • alpine
  • alpine3.24
  • 8.5.7-alpine
  • 8.5.7-alpine3.24
  • 8.5-alpine3.24
  • 8-alpine
  • 8-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image contains 1 fewer package
  • Image has similar size
  • Image has same number of vulnerabilities
Image details:
  • Size: 45 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.5.7
2 weeks ago



8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.23-cli-alpine
  • 8.4.23-cli-alpine3.24
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.24
  • 8.4.23-alpine
  • 8.4.23-alpine3.24
  • 8.4-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.4.23
1 day ago



1 similar comment
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name8.3.32-alpine3.24
Digestsha256:d2e13c5b28b4594f75dbd1af9cb61b8ec10d9341618f1a0ccb7276bb931e883b
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size38 MB
Packages60
Flavoralpine
OS3.24
Runtime8.3.32
The base image is also available under the supported tag(s): 8.3-alpine3.24, 8.3-cli-alpine, 8.3-cli-alpine3.24, 8.3.32-alpine, 8.3.32-alpine3.24, 8.3.32-cli-alpine, 8.3.32-cli-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.5-alpine
Minor runtime version update
Also known as:
  • 8.5.7-cli-alpine
  • 8.5.7-cli-alpine3.24
  • 8.5-cli-alpine
  • 8.5-cli-alpine3.24
  • 8-cli-alpine
  • 8-cli-alpine3.24
  • cli-alpine
  • cli-alpine3.24
  • alpine
  • alpine3.24
  • 8.5.7-alpine
  • 8.5.7-alpine3.24
  • 8.5-alpine3.24
  • 8-alpine
  • 8-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image contains 1 fewer package
  • Image has similar size
  • Image has same number of vulnerabilities
Image details:
  • Size: 45 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.5.7
2 weeks ago



8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.23-cli-alpine
  • 8.4.23-cli-alpine3.24
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.24
  • 8.4.23-alpine
  • 8.4.23-alpine3.24
  • 8.4-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.4.23
1 day ago



@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:a6b06201bdfdde1342b58bebd7c1a8028695cdfacad9e0e1de1ae37821a73920
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size114 MB
packages253
📦 Base Image php:8.2-alpine
also known as
  • 8.2-alpine3.24
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.24
  • 8.2.32-alpine
  • 8.2.32-alpine3.24
  • 8.2.32-cli-alpine
  • 8.2.32-cli-alpine3.24
digestsha256:a8a5bdf128898c25da7a2c186401adaafb653346e4103b95b39ea92e7c72265f
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:b37502247b7da5b098b33a12b19d8ee162c6fba08bfd8bc18abaea35599cea8e
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size134 MB
packages283
📦 Base Image php:8.2-alpine
also known as
  • 8.2-alpine3.24
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.24
  • 8.2.32-alpine
  • 8.2.32-alpine3.24
  • 8.2.32-cli-alpine
  • 8.2.32-cli-alpine3.24
digestsha256:a8a5bdf128898c25da7a2c186401adaafb653346e4103b95b39ea92e7c72265f
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:cd0d13da4d2306923d3aaf56292f09475661500b768ba7a94c8f4dd8f5cc01c6
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size110 MB
packages254
📦 Base Image php:8.2-fpm-alpine
also known as
  • 8.2-fpm-alpine3.24
  • 8.2.32-fpm-alpine
  • 8.2.32-fpm-alpine3.24
digestsha256:a628de5009166b3602b79a270ae5cecbaa5bff01675bb4a1fae9dce4cc0b584d
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:13ae3832737484aff1a3eca83d3922c73b88f44833919de314d5c4b008b08a66
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size139 MB
packages283
📦 Base Image php:8.4-alpine
also known as
  • 8.4-alpine3.24
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.24
  • 8.4.23-alpine
  • 8.4.23-alpine3.24
  • 8.4.23-cli-alpine
  • 8.4.23-cli-alpine3.24
digestsha256:dfdfa6b3a505d58103fbad3de655dec3423963772a42c8ddbdddd6d3a050c724
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name8.2.32-alpine3.24
Digestsha256:a8a5bdf128898c25da7a2c186401adaafb653346e4103b95b39ea92e7c72265f
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size37 MB
Packages60
Flavoralpine
OS3.24
Runtime8.2.32
The base image is also available under the supported tag(s): 8.2-alpine3.24, 8.2-cli-alpine, 8.2-cli-alpine3.24, 8.2.32-alpine, 8.2.32-alpine3.24, 8.2.32-cli-alpine, 8.2.32-cli-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.23-cli-alpine
  • 8.4.23-cli-alpine3.24
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.24
  • 8.4.23-alpine
  • 8.4.23-alpine3.24
  • 8.4-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.4.23
1 day ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.32-cli-alpine
  • 8.3.32-cli-alpine3.24
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.24
  • 8.3.32-alpine
  • 8.3.32-alpine3.24
  • 8.3-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 38 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.3.32
1 day ago



8.5-alpine
Minor runtime version update
Also known as:
  • 8.5.7-cli-alpine
  • 8.5.7-cli-alpine3.24
  • 8.5-cli-alpine
  • 8.5-cli-alpine3.24
  • 8-cli-alpine
  • 8-cli-alpine3.24
  • cli-alpine
  • cli-alpine3.24
  • alpine
  • alpine3.24
  • 8.5.7-alpine
  • 8.5.7-alpine3.24
  • 8.5-alpine3.24
  • 8-alpine
  • 8-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image contains 1 fewer package
  • Image has same number of vulnerabilities
Image details:
  • Size: 45 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.5.7
2 weeks ago



1 similar comment
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name8.2.32-alpine3.24
Digestsha256:a8a5bdf128898c25da7a2c186401adaafb653346e4103b95b39ea92e7c72265f
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size37 MB
Packages60
Flavoralpine
OS3.24
Runtime8.2.32
The base image is also available under the supported tag(s): 8.2-alpine3.24, 8.2-cli-alpine, 8.2-cli-alpine3.24, 8.2.32-alpine, 8.2.32-alpine3.24, 8.2.32-cli-alpine, 8.2.32-cli-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.23-cli-alpine
  • 8.4.23-cli-alpine3.24
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.24
  • 8.4.23-alpine
  • 8.4.23-alpine3.24
  • 8.4-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.4.23
1 day ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.32-cli-alpine
  • 8.3.32-cli-alpine3.24
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.24
  • 8.3.32-alpine
  • 8.3.32-alpine3.24
  • 8.3-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 38 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.3.32
1 day ago



8.5-alpine
Minor runtime version update
Also known as:
  • 8.5.7-cli-alpine
  • 8.5.7-cli-alpine3.24
  • 8.5-cli-alpine
  • 8.5-cli-alpine3.24
  • 8-cli-alpine
  • 8-cli-alpine3.24
  • cli-alpine
  • cli-alpine3.24
  • alpine
  • alpine3.24
  • 8.5.7-alpine
  • 8.5.7-alpine3.24
  • 8.5-alpine3.24
  • 8-alpine
  • 8-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image contains 1 fewer package
  • Image has same number of vulnerabilities
Image details:
  • Size: 45 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.5.7
2 weeks ago



@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name8.2.32-fpm-alpine3.24
Digestsha256:a628de5009166b3602b79a270ae5cecbaa5bff01675bb4a1fae9dce4cc0b584d
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size33 MB
Packages61
Flavoralpine
OS3.24
Runtime8.2.32
The base image is also available under the supported tag(s): 8.2-fpm-alpine3.24, 8.2.32-fpm-alpine, 8.2.32-fpm-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-fpm-alpine
Minor runtime version update
Also known as:
  • 8.4.23-fpm-alpine
  • 8.4.23-fpm-alpine3.24
  • 8.4-fpm-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.4.23
1 day ago



8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.32-fpm-alpine
  • 8.3.32-fpm-alpine3.24
  • 8.3-fpm-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 33 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.3.32
1 day ago



8.5-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.5.7-fpm-alpine
  • 8.5.7-fpm-alpine3.24
  • 8.5-fpm-alpine3.24
  • 8-fpm-alpine
  • 8-fpm-alpine3.24
  • fpm-alpine
  • fpm-alpine3.24
Benefits:
  • Same OS detected
  • Image contains 1 fewer package
  • Image has similar size
  • Image has same number of vulnerabilities
Image details:
  • Size: 39 MB
  • Flavor: alpine
  • OS: 3.24
2 weeks ago



@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.4-alpine

Name8.4.23-alpine3.24
Digestsha256:dfdfa6b3a505d58103fbad3de655dec3423963772a42c8ddbdddd6d3a050c724
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size42 MB
Packages60
Flavoralpine
OS3.24
Runtime8.4.23
The base image is also available under the supported tag(s): 8.4-alpine3.24, 8.4-cli-alpine, 8.4-cli-alpine3.24, 8.4.23-alpine, 8.4.23-alpine3.24, 8.4.23-cli-alpine, 8.4.23-cli-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.5-alpine
Minor runtime version update
Also known as:
  • 8.5.7-cli-alpine
  • 8.5.7-cli-alpine3.24
  • 8.5-cli-alpine
  • 8.5-cli-alpine3.24
  • 8-cli-alpine
  • 8-cli-alpine3.24
  • cli-alpine
  • cli-alpine3.24
  • alpine
  • alpine3.24
  • 8.5.7-alpine
  • 8.5.7-alpine3.24
  • 8.5-alpine3.24
  • 8-alpine
  • 8-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image contains 1 fewer package
  • Image has similar size
  • Image has same number of vulnerabilities
Image details:
  • Size: 45 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.5.7
2 weeks ago



@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:7236be7f8e9ff3c4a9be396417d75a072344b3674900543015288b4e562a7bc3
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size114 MB
packages254
📦 Base Image php:8.4-fpm-alpine
also known as
  • 8.4-fpm-alpine3.24
  • 8.4.23-fpm-alpine
  • 8.4.23-fpm-alpine3.24
digestsha256:a68235b11ad83b56e06c373284f31953b6532a345953335659fdfc8ea72aa474
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.4-fpm-alpine

Name8.4.23-fpm-alpine3.24
Digestsha256:a68235b11ad83b56e06c373284f31953b6532a345953335659fdfc8ea72aa474
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size36 MB
Packages61
Flavoralpine
OS3.24
Runtime8.4.23
The base image is also available under the supported tag(s): 8.4-fpm-alpine3.24, 8.4.23-fpm-alpine, 8.4.23-fpm-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.5-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.5.7-fpm-alpine
  • 8.5.7-fpm-alpine3.24
  • 8.5-fpm-alpine3.24
  • 8-fpm-alpine
  • 8-fpm-alpine3.24
  • fpm-alpine
  • fpm-alpine3.24
Benefits:
  • Same OS detected
  • Image contains 1 fewer package
  • Image has similar size
  • Image has same number of vulnerabilities
Image details:
  • Size: 39 MB
  • Flavor: alpine
  • OS: 3.24
2 weeks ago



@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:792380a5152af43437062e772419493bcf737544baa4ce685f750c1035845486
vulnerabilitiescritical: 9 high: 6 medium: 0 low: 0
platformlinux/amd64
size111 MB
packages254
📦 Base Image php:8.3-fpm-alpine
also known as
  • 8.3-fpm-alpine3.24
  • 8.3.32-fpm-alpine
  • 8.3.32-fpm-alpine3.24
digestsha256:f63f8152e78b0e0748104fd321e9f33e641b58c40657cb7af126a5dc6edb4d5e
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
critical: 7 high: 3 medium: 0 low: 0 golang.org/x/crypto 0.38.0 (golang)

pkg:golang/golang.org/x/crypto@0.38.0

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.440%
EPSS Percentile35th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.469%
EPSS Percentile37th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.338%
EPSS Percentile26th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.500%
EPSS Percentile39th percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.400%
EPSS Percentile32nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

high : CVE--2025--47913

Affected range<0.43.0
Fixed version0.43.0
EPSS Score0.591%
EPSS Percentile44th percentile
Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

critical: 1 high: 1 medium: 0 low: 0 golang.org/x/net 0.40.0 (golang)

pkg:golang/golang.org/x/net@0.40.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile51st percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score1.557%
EPSS Percentile72nd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 1 medium: 0 low: 0 stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

high : CVE--2026--42504

Affected range>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

critical: 0 high: 1 medium: 0 low: 0 github.com/antchfx/xpath 1.3.3 (golang)

pkg:golang/github.com/antchfx/xpath@1.3.3

high 7.5: CVE--2026--32287 Uncontrolled Resource Consumption

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.519%
EPSS Percentile40th percentile
Description

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name8.3.32-fpm-alpine3.24
Digestsha256:f63f8152e78b0e0748104fd321e9f33e641b58c40657cb7af126a5dc6edb4d5e
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 2 unspecified: 2
Pushed1 day ago
Size33 MB
Packages61
Flavoralpine
OS3.24
Runtime8.3.32
The base image is also available under the supported tag(s): 8.3-fpm-alpine3.24, 8.3.32-fpm-alpine, 8.3.32-fpm-alpine3.24

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-fpm-alpine
Minor runtime version update
Also known as:
  • 8.4.23-fpm-alpine
  • 8.4.23-fpm-alpine3.24
  • 8.4-fpm-alpine3.24
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.24
  • Runtime: 8.4.23
1 day ago



8.5-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.5.7-fpm-alpine
  • 8.5.7-fpm-alpine3.24
  • 8.5-fpm-alpine3.24
  • 8-fpm-alpine
  • 8-fpm-alpine3.24
  • fpm-alpine
  • fpm-alpine3.24
Benefits:
  • Same OS detected
  • Image contains 1 fewer package
  • Image has similar size
  • Image has same number of vulnerabilities
Image details:
  • Size: 39 MB
  • Flavor: alpine
  • OS: 3.24
2 weeks ago



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants