New Vulnerability Finding for X-Crypto and Go (Dec-2025)

Currently, I am working on buliding Fargate-Gitlab-Runner container image using https://gitlab-runner-custom-fargate-downloads.s3.amazonaws.com/latest/fargate-linux-amd64. Below is the Gitlab Container Scanning report on 1-Dec-2025.

Vulnerability ID Affected Library Analysis & Reason

Vulnerability ID	Affected Library	Analysis & Reason
CVE-2025-47914 CVE-2025-58181	golang.org/x/crypto	Reason: The Fargate driver relies on the `x/crypto/ssh` library to securely connect to Fargate task containers (using SSH keys generated on the fly). The Flaw: The version currently compiled into the binary (`v0.42.0`) has bugs in the SSH server component where it doesn't validate message sizes or authentication mechanisms correctly, leading to potential panics (crashes) or memory exhaustion. Why it's there: The `go.mod` file in the source repository likely specified an older version of this library at the time the S3 binary was built.
CVE-2025-58183 CVE-2025-58186 CVE-2025-58187	`stdlib` (Go Standard Library)	Reason: The Fargate driver is written in Go. When it was compiled into a binary, the compiler (Go Toolchain) embedded its standard library functions (like handling HTTP requests, parsing TAR files, and checking certificates) directly into the executable. The Flaw: The report shows the binary was built with Go 1.25.1. This specific version of Go contains critical bugs in `archive/tar` (unbounded memory usage), `net/http` (cookie parsing memory exhaustion), and `crypto/x509` (CPU exhaustion on certificates). Why it's there: The binary on S3 was built using the Go 1.25.1 compiler. It has not yet been rebuilt with the patched Go 1.25.3 compiler.

CVE-2025-47914

CVE-2025-58181

golang.org/x/crypto

Reason: The Fargate driver relies on the x/crypto/ssh library to securely connect to Fargate task containers (using SSH keys generated on the fly).

The Flaw: The version currently compiled into the binary (v0.42.0) has bugs in the SSH server component where it doesn't validate message sizes or authentication mechanisms correctly, leading to potential panics (crashes) or memory exhaustion.

Why it's there: The go.mod file in the source repository likely specified an older version of this library at the time the S3 binary was built.

CVE-2025-58183

CVE-2025-58186

CVE-2025-58187

stdlib (Go Standard Library)

Reason: The Fargate driver is written in Go. When it was compiled into a binary, the compiler (Go Toolchain) embedded its standard library functions (like handling HTTP requests, parsing TAR files, and checking certificates) directly into the executable.

The Flaw: The report shows the binary was built with Go 1.25.1. This specific version of Go contains critical bugs in archive/tar (unbounded memory usage), net/http (cookie parsing memory exhaustion), and crypto/x509 (CPU exhaustion on certificates).

Why it's there: The binary on S3 was built using the Go 1.25.1 compiler. It has not yet been rebuilt with the patched Go 1.25.3 compiler.