Security: Update Go version to fix CVE-2025-58183

Summary

Container security scans have detected high-severity vulnerabilities in the official gitlab-runner images and binaries. These issues stem from the Go toolchain version used for compilation and outdated Docker dependencies.

Vulnerability Details

1. CVE-2025-58183 (High Severity) - Go Standard Library

Component: stdlib (archive/tar)
Issue: tar.Reader allows unbounded memory allocation when parsing maliciously crafted archives with sparse regions (OOM Denial of Service).
Current State: Binaries appear to be built with an older Go version vulnerable to this issue.
Remediation: The binaries must be recompiled using Go 1.24.8 / 1.25.2 or later.

Affected Artifacts

gitlab/gitlab-runner:alpine3.21-v18.6.3
Binary: /usr/bin/gitlab-runner
Binary: /usr/bin/docker-machine

Proposal

Update Toolchain: Bump the Go version used in the build pipeline (.gitlab-ci.yml / Makefile) to the latest secure patch release (e.g., Go 1.25.3) to fix stdlib CVEs.

Edited Dec 01, 2025 by Kent Yong