removed vulnerabilities by upgrading the go version

[yashGoyal40]

🔒 Security: Fix Critical CVE Vulnerabilities in grpcurl

Overview

This PR addresses 10 critical and high-severity security vulnerabilities (CVEs) in the grpcurl fork by upgrading Go and dependencies to their latest secure versions.

🚨 Vulnerabilities Fixed

CVE ID	Severity	Score	Description	Status
CVE-2024-24790	Critical	9.8	IPv4-mapped IPv6 addresses issue in net/netip	✅ Fixed
CVE-2025-22871	High	9.1	HTTP request smuggling vulnerability in net/http	✅ Fixed
CVE-2024-24784	High	7.5	Incorrect handling of comments in display names within net/mail	✅ Fixed
CVE-2022-30635	High	7.5	Potential stack exhaustion in Decoder.Decode	✅ Fixed
CVE-2023-45283	High	7.5	Denial of service vulnerability in net/http package	✅ Fixed
CVE-2023-44487	High	7.5	Denial of service vulnerability in net/http package	✅ Fixed
CVE-2024-24791	High	7.5	Denial of service vulnerability in net/http package	✅ Fixed
CVE-2024-34156	High	7.5	Potential stack exhaustion in Decoder.Decode	✅ Fixed
CVE-2024-34158	High	7.5	Potential stack exhaustion in Parse for build tags	✅ Fixed
CVE-2023-39325	High	7.5	Vulnerability in golang.org/x/net	✅ Fixed

🔧 Changes Made

Go Version Upgrade

• Before: Go 1.24.0
• After: Go 1.25.1 (latest stable)
• Impact: All CVE vulnerabilities resolved through Go standard library fixes

Dependency Updates

• gRPC: v1.61.0 → v1.70.0
• golang.org/x/net: v0.38.0 → v0.43.0
• golang.org/x/sys: v0.31.0 → v0.35.0
• golang.org/x/text: v0.23.0 → v0.28.0
• golang.org/x/sync: v0.12.0 → v0.16.0
• golang.org/x/oauth2: v0.27.0 → v0.30.0
• google.golang.org/protobuf: Updated to latest
• github.com/jhump/protoreflect: Updated to latest

Docker Security Enhancements

• Updated Dockerfile to use golang:1.25.1-alpine
• Updated Alpine base image to 3.20
• Fixed Docker build warnings (MAINTAINER → LABEL, FROM casing)
• Maintained multi-stage build for minimal attack surface

✅ Verification

Build & Test Status

• ✅ Build: go build ./cmd/grpcurl - Successful
• ✅ Tests: go test ./... - All tests passing
• ✅ Docker: docker build -t grpcurl-secure . - Successful

Security Scanning

Using Trivy vulnerability scanner:
And Docker Scout

trivy image grpcurl-secure

Results:

• ✅ 0 vulnerabilities detected
• ✅ 0 secrets found
• ✅ 0 misconfigurations detected
• ✅ Clean security report

��️ Security Impact

• Risk Reduction: Eliminated 10 critical/high-severity vulnerabilities
• Attack Surface: Minimized through updated dependencies and Go runtime
• Compliance: Meets security best practices for containerized applications
• Production Ready: Verified through comprehensive testing and scanning

�� Testing

# Verify Go version
go version
# Output: go version go1.25.1 darwin/arm64

# Test Docker image
docker run --rm grpcurl-secure --version
# Output: grpcurl 1.8.9

# Run vulnerability scan
trivy image grpcurl-secure
# Output: 0 vulnerabilities detected

�� References

• Go 1.25.1 Release Notes
• Trivy Vulnerability Scanner
• Docker Security Best Practices

---

⚠️ Breaking Changes: None - This is a security-focused update with full backward compatibility.

[yashGoyal40]

Hi @jhump — just wanted to check if there’s anything else needed from my side to move the PR forward. Thanks!

[carlcauchi]

@jhump @yashGoyal40 any idea when this can be merged please?

[jhump]

@yashGoyal40, @carlcauchi: I don't work at FullStory anymore and am no longer a maintainer, sorry.

@dragonsinth, @gpassini: could one of you take a look? This seems perfectly reasonable to me, to build release binaries with 1.25 going forward.

[dragonsinth]

I can take a look later.

[dragonsinth]

Merged in #543