Skip to content

fix(deps): update module github.com/crossplane/crossplane/v2 to v2.3.3 [security]#356

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-crossplane-crossplane-v2-vulnerability
Open

fix(deps): update module github.com/crossplane/crossplane/v2 to v2.3.3 [security]#356
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-crossplane-crossplane-v2-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/crossplane/crossplane/v2 v2.3.2v2.3.3 age confidence

Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag

GHSA-wfqx-gjrf-g28r

More information

Details

Summary

Crossplane allows package signature verification to be configured via the ImageConfig mechanism. When enabled, the package manager uses cosign to verify that packages are correctly signed before pulling and installing them.

When a package is installed using a tag reference (e.g., a semantic version), a malicious OCI registry could serve a correctly signed image for verification, then subsequently serve an unsigned image for installation. This is possible because Crossplane resolves the tag reference separately for each step.

This vulnerability is relevant only for users who do all three of the following:

  1. Configure signature verification for packages,
  2. Install packages using tag references rather than digests, and
  3. Install packages from registries they do not control.
Mitigation

Installing packages by image digest rather than using tags avoids this issue.

Fix

The package manager has been updated to resolve tag references once and use the resulting digest for both signature verification and image fetching. This ensures that Crossplane pulls the same content that had its signature verified. The fix has been applied to Crossplane's main branch and backported to the v2.3 and v2.2 release branches; it will be released in v2.3.3 and v2.2.3.

Credits

This issue was reported, independently, by @​bugbunny-research and @​tonghuaroot.

Severity

  • CVSS Score: 9.0 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

crossplane/crossplane (github.com/crossplane/crossplane/v2)

v2.3.3

Compare Source

v2.3.3 is a patch release scoped to fixing issues reported by users of Crossplane v2.3 and fixing security related issues in Crossplane's dependencies.

🎉 Highlights

  • Fixed package signature verification TOCTOU (GHSA-mf7q-r4rv-jv94): A time-of-check-to-time-of-use flaw could let a malicious OCI registry pass signature verification with a signed image and then serve unsigned content for installation. For v2.3 this fix ships via the crossplane-runtime v2.3.3 bump in #​7541, since the affected code moved from crossplane to crossplane-runtime during the v2.3 milestone. See the crossplane-runtime v2.3.3 release notes for the full details.
  • Correct namespace on injected resource refs in crossplane render: crossplane render previously set a namespace on every injected resource reference, which is inaccurate for namespaced XRs (whose resource refs are local and carry no namespace) and broke composition functions with strict schemas, such as the generated KCL bindings used in control plane projects. Render now matches the real reconciler and sets the namespace only for cluster-scoped XRs. Backported in #​7525, originally fixed in #​7523.
  • Dependency security updates: This release also bumps the Go toolchain to 1.25.11 and golang.org/x/net and golang.org/x/sys in the apis module to pick up CVE fixes (#​7530). See ## What's Changed below for the full list.

What's Changed

Full Changelog: crossplane/crossplane@v2.3.2...v2.3.3

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copilot AI review requested due to automatic review settings June 22, 2026 20:01
@renovate renovate Bot added the automated label Jun 22, 2026
@renovate renovate Bot requested review from jcogilvie and tampakrap as code owners June 22, 2026 20:01
Copilot AI reviewed Jun 22, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jcogilvie jcogilvie Awaiting requested review from jcogilvie jcogilvie is a code owner

@tampakrap tampakrap Awaiting requested review from tampakrap tampakrap is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant