packeto buildpacks vulnerable to CVE-2025-22874 (ExtKeyUsageAny bypasses policy validation) due to go <1.24.4

[candrews]

I noticed that many Paketo Buildpacks projects (ex, paketobuildpacks/builder-noble-java-tiny:0.0.43) use go 1.24.3 which is susceptible to CVE-2025-22874: ExtKeyUsageAny bypasses policy validation. This raises two questions:

1. Is this vulnerability exploitable for Paketo Buildpacks?
   I don't believe it's exploitable, but an statement/assessment from Paketo would be helpful.
2. When will the buildpacks to be updated to go 1.24.4 (or later) eliminating this vulnerability?

Thank you!

Trivy can be used to see this vulnerability being reported:

$ docker run -it aquasec/trivy image paketobuildpacks/watchexec:3.5.2
2025-06-17T15:37:50Z	WARN	[vulndb] Trivy DB may be corrupted and will be re-downloaded. If you manually downloaded DB - use the `--skip-db-update` flag to skip updating DB.
2025-06-17T15:37:50Z	INFO	[vulndb] Need to update DB
2025-06-17T15:37:50Z	INFO	[vulndb] Downloading vulnerability DB...
2025-06-17T15:37:50Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
65.37 MiB / 65.37 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10.81 MiB p/s 6.2s
2025-06-17T15:37:57Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-06-17T15:37:57Z	INFO	[vuln] Vulnerability scanning is enabled
2025-06-17T15:37:57Z	INFO	[secret] Secret scanning is enabled
2025-06-17T15:37:57Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-06-17T15:37:57Z	INFO	[secret] Please see also https://trivy.dev/v0.63/docs/scanner/secret#recommendation for faster secret detection
2025-06-17T15:37:59Z	INFO	Number of language-specific files	num=1
2025-06-17T15:37:59Z	INFO	[gobinary] Detecting vulnerabilities...
2025-06-17T15:37:59Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.63/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌───────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                          Target                           │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ cnb/buildpacks/paketo-buildpacks_watchexec/3.5.2/bin/main │ gobinary │        3        │    -    │
└───────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


cnb/buildpacks/paketo-buildpacks_watchexec/3.5.2/bin/main (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-22874 │ HIGH     │ fixed  │ v1.24.3           │ 1.24.4          │ crypto/x509: Usage of ExtKeyUsageAny disables policy         │
│         │                │          │        │                   │                 │ validation in crypto/x509                                    │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22874                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-0913  │ MEDIUM   │        │                   │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │                │          │        │                   │                 │ in os in syscall...                                          │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673  │          │        │                   │                 │ Proxy-Authorization and Proxy-Authenticate headers persisted │
│         │                │          │        │                   │                 │ on cross- ...                                                │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

[dmikusa]

Is this vulnerability exploitable for Paketo Buildpacks?
I don't believe it's exploitable, but an statement/assessment from Paketo would be helpful.

I agree, I don't see how that would impact buildpacks. The buildpack itself runs in an environment with your code and various dev tools, so there are much easier ways than a CVE to do something untoward. For example, if you run npm anywhere, you run the risk of an NPM module running a script after it installs and doing something bad. Same risk happens in buildpacks at buildtime, since we run those tools in that environment.

Given this, the area that we focus on the most for security is runtime. i.e. what gets installed into your actual application image. From a buildpack perspective, this is very little. There are some small helper/exec.d Go binaries that may be installed depending on the buildpacks you use. These run prior to your application, so they are important to watch. On occasion, scanners will flag these binaries.

The scanners are almost always flagging them due to Go runtime CVEs. When we see these pop up, we do look at/investigate them. I've been doing this for a while now and I've never seen one that actually impacts our helper/exec.d binaries. The reason is that those binaries do very little. Most of them are just looking at env variables. There are a couple that do a little more, like ca-certificates buildpack has one that will look at some public key certs. Because they don't do a lot, there is a very small attack surface.

If one of these were to be a legitimate issue with Paketo buildpacks, we'd strive to fix it within our usually 48 hour timeline. Since most don't, we follow the low impact path, which means we'd strive to fix these issues within two weeks. I say we "strive to" because ultimately this is an OSS project that runs on volunteers so it depends on volunteer availability.

When will the buildpacks to be updated to go 1.24.4 (or later) eliminating this vulnerability?

We just released a whole bunch of buildpacks on Friday. I think that we just missed the fix in Go for this with that release. Since we just released a big batch of them, I can't say that we'll do the same this week, but it's feasible that we can do a release for the 27th. That's the best I can offer for a timeline, again being an OSS/volunteer run project.

Let me know if you have any questions.

[candrews]

The buildpack releases last week resolved this issue.

For example, paketobuildpacks/ca-certificates:3.10.3 and paketobuildpacks/watchexec:3.5.3 don't have this finding.