Skip to content

grpc_health_probe in opm:v1.55.0 is still using older golang.org/x/crypto v0.31.0 despite go.mod referencing v0.38.0 #1716

@sanjaykatariya

Description

@sanjaykatariya

Describe the bug

The grpc_health_probe binary bundled in the official opm container image (quay.io/operator-framework/opm:v1.55.0) is built using an outdated version of golang.org/x/crypto — specifically v0.31.0, which is known to be vulnerable (e.g., CVE-2025-22869).

However, the go.mod file in the v1.55.0 release references golang.org/x/crypto v0.38.0.

This mismatch suggests that the binary inside the image may not be built from the latest declared dependency — either due to outdated vendored code or inclusion of a precompiled binary.


How to Reproduce

Run the following on any system with Docker:

docker run --rm --entrypoint "" quay.io/operator-framework/opm:v1.55.0 \
  strings /bin/grpc_health_probe | grep 'golang.org/x/crypto'

Output:
vendor/golang.org/x/crypto/hkdf
vendor/golang.org/x/crypto/sha3
vendor/golang.org/x/crypto/cryptobyte
vendor/golang.org/x/crypto/cryptobyte/asn1
vendor/golang.org/x/crypto/chacha20poly1305
dep golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=

This confirms that grpc_health_probe inside the image is still compiled using v0.31.0, not the secure v0.38.0 version declared in go.mod.

Affecting:
golang.org/x/crypto v0.31.0 is impacted by vulnerabilities including CVE-2025-22869
It affects downstream users who rely on opm base images (e.g., for catalog publishing)
A security scan flags this version even if the go.mod is correct

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions