Security: Upgrade golang.org/x/crypto to v0.45.0 to fix CVE-2025-47914 & CVE-2025-58181

Summary

Our container security scans have detected multiple vulnerabilities in the golang.org/x/crypto library currently used in the gitlab-runner binary.

Vulnerability Details

The current version used (v0.43.0) is vulnerable to the following CVEs:

1. CVE-2025-47914 (Medium Severity):

   • Issue: SSH Agent servers do not validate the size of messages, causing panics (DoS) on malformed inputs.
   • Fixed in: v0.45.0

2. CVE-2025-58181 (Medium Severity):

   • Issue: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms, allowing unbounded memory consumption.
   • Fixed in: v0.45.0

Affected Components

• Binary: /usr/bin/gitlab-runner
• Current Dependency Version: v0.43.0
• Scan Tool: GitLab Container Scanning (Trivy)

Proposal

Please update go.mod to require golang.org/x/crypto v0.45.0 or later to remediate these vulnerabilities.