Summary
The v0.13.2 release binary appears to have been built with Go 1.25.1, even though the go.mod specifies go 1.25.7. This causes vulnerability scanners (grype, trivy, etc.) to flag the extension with Critical CVE-2025-68121 in Go's stdlib.
Evidence
Running grype against a Lambda container using vault-lambda-extension v0.13.2:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY
stdlib go1.25.1 1.24.13, *1.25.7, 1.26.0-rc.3 go-module CVE-2025-68121 Critical
Verified by downloading the binary directly and checking:
$ go version /tmp/vle-check/extensions/vault-lambda-extension
/tmp/vle-check/extensions/vault-lambda-extension: go1.25.1
The go.mod in the repo shows:
Impact
Users with security pipelines configured to fail on Critical CVEs cannot use the extension until this is resolved.
Request
Please rebuild and release v0.13.3 (or v0.14.0) using Go 1.25.7+ to include the fix for CVE-2025-68121.
Thank you!
Summary
The v0.13.2 release binary appears to have been built with Go 1.25.1, even though the
go.modspecifiesgo 1.25.7. This causes vulnerability scanners (grype, trivy, etc.) to flag the extension with Critical CVE-2025-68121 in Go's stdlib.Evidence
Running grype against a Lambda container using vault-lambda-extension v0.13.2:
Verified by downloading the binary directly and checking:
The
go.modin the repo shows:Impact
Users with security pipelines configured to fail on Critical CVEs cannot use the extension until this is resolved.
Request
Please rebuild and release v0.13.3 (or v0.14.0) using Go 1.25.7+ to include the fix for CVE-2025-68121.
Thank you!