v0.13.2 built with Go 1.25.1 despite go.mod requiring 1.25.7 - CVE-2025-68121 #188
Description
Summary
The v0.13.2 release binary appears to have been built with Go 1.25.1, even though the go.mod specifies go 1.25.7. This causes vulnerability scanners (grype, trivy, etc.) to flag the extension with Critical CVE-2025-68121 in Go's stdlib.
Evidence
Running grype against a Lambda container using vault-lambda-extension v0.13.2:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY
stdlib go1.25.1 1.24.13, *1.25.7, 1.26.0-rc.3 go-module CVE-2025-68121 Critical
Verified by downloading the binary directly and checking:
$ go version /tmp/vle-check/extensions/vault-lambda-extension
/tmp/vle-check/extensions/vault-lambda-extension: go1.25.1
The go.mod in the repo shows:
go 1.25.7
Impact
Users with security pipelines configured to fail on Critical CVEs cannot use the extension until this is resolved.
Request
Please rebuild and release v0.13.3 (or v0.14.0) using Go 1.25.7+ to include the fix for CVE-2025-68121.
Thank you!