Update Dockerfile to fix CVEs: CVE-2025-68121, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61729, CVE-2025-61727

### Description
The main Dockerfile currently uses `golang:1.25-alpine3.21` as the base image in the official build ([Dockerfile, line 1](https://github.com/golang-migrate/migrate/blob/257fa847d614efe3948c25e9033e92b930527dec/Dockerfile#L1)), which contains Go 1.25.4. This version has several known CVEs that need to be addressed:
- CVE-2025-68121
- CVE-2025-61726
- CVE-2025-61728
- CVE-2025-61730
- CVE-2025-61729
- CVE-2025-61727

### Impact
These CVEs affect:

* Docker images built from the current Dockerfile
* Any containerized deployments using the official image
* Database connections using TLS/SSL certificates
* Certificate validation in PKI environments
* Applications relying on mutual TLS authentication

- CVE-2025-61729 ([GHSA-7c64-f9jr-v9h2](https://github.com/advisories/GHSA-7c64-f9jr-v9h2)) can lead to Denial of Service (DoS) through resource exhaustion when processing malicious certificates with excessive hostname configurations.
- CVE-2025-61727 ([GHSA-5mh9-3jwc-rp59](https://github.com/advisories/GHSA-5mh9-3jwc-rp59)) allows bypassing excluded subdomain constraints using wildcard SANs, allowing unauthorized certificate usage (e.g., exclusion for test.example.com does not prevent *.example.com SAN).

### Proposed Fix
Update the main [Dockerfile](https://github.com/golang-migrate/migrate/blob/257fa847d614efe3948c25e9033e92b930527dec/Dockerfile#L1) to use Go 1.25.5 or later, which includes fixes for these CVEs.

**Current (Go 1.25.4):**
```
FROM golang:1.25-alpine3.21 AS builder
```
**Proposed (Go 1.25.7):**
```
FROM 1.25.7-alpine3.22 AS builder
```

### Vulnerability Details
- [CVE-2025-61729 - GHSA-7c64-f9jr-v9h2](https://github.com/advisories/GHSA-7c64-f9jr-v9h2) (High, CVSS: 7.5)
  - Affected Package: crypto/x509
  - CWE: CWE-770 (Resource Allocation Without Limits)
  - Ref: https://github.com/golang/go/issues/76445
- [CVE-2025-61727 - GHSA-5mh9-3jwc-rp59](https://github.com/advisories/GHSA-5mh9-3jwc-rp59) (Medium, CVSS: 6.5)
  - Affected Package: crypto/x509
  - CWE: CWE-295 (Improper Certificate Validation)
  - Ref: https://github.com/golang/go/issues/76442
- [CVE-2025-68121 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-68121)
- [CVE-2025-61726 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61726)
- [CVE-2025-61728 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61728)
- [CVE-2025-61730 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61730)

### References
- [Go 1.25.7 Release Notes](https://go.dev/doc/devel/release#go1.25.7)
- [Go Announcement](https://groups.google.com/g/golang-announce/c/8FJoBkPddm4)
- [Main Dockerfile](https://github.com/golang-migrate/migrate/blob/v4.19.1/Dockerfile#L1)

### Additional Context
All vulnerabilities were fixed in Go 1.25.7 (released December 2, 2025). The update is a simple version bump with no breaking changes expected. Given that golang-migrate often handles database connections with TLS/SSL, addressing these certificate validation vulnerabilities is important for secure deployments.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update Dockerfile to fix CVEs: CVE-2025-68121, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61729, CVE-2025-61727 #1357

Description

Impact

Proposed Fix

Vulnerability Details

References

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Update Dockerfile to fix CVEs: CVE-2025-68121, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61729, CVE-2025-61727 #1357

Description

Description

Impact

Proposed Fix

Vulnerability Details

References

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions