Summary
The temporal/admin-tools Docker image ships a tctl binary compiled with Go 1.15.11, which reached end-of-life in August 2021. Container security scanning flags 32 vulnerabilities across 25 Go standard-library packages and 7 third-party Go modules embedded in the binary.
None of these appear to have been previously reported in this repository.
Root causes
tctl compiled with Go 1.15.11 (EOL) — all stdlib CVEs stem from this; upgrading the Go toolchain resolves them in one go.
- Third-party Go module dependencies pinned to old versions —
jwt-go, grpc, protobuf, yaml.v3, logrus, go-jose, thrift.
Affected artifact
| Field |
Value |
| Image |
temporal/admin-tools |
| Binary |
/usr/local/bin/tctl |
| Go runtime in binary |
1.15.11 |
Vulnerability Details
Group 1 — Go Standard Library (fix: rebuild tctl with Go ≥ 1.22)
| Package |
Severity |
CVE(s) |
net/http |
High |
CVE-2021-31525, CVE-2021-44716, CVE-2022-1705, CVE-2022-27664, CVE-2022-32148, CVE-2022-41717, CVE-2022-41723, CVE-2023-29406, CVE-2023-39325, CVE-2023-45288, CVE-2025-22870 |
crypto/tls |
High |
CVE-2021-34558, CVE-2022-30629, CVE-2022-41724, CVE-2023-29409, CVE-2023-45287, CVE-2025-58189, CVE-2025-61730, CVE-2025-68121, CVE-2026-32283 |
html/template |
High |
CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400, CVE-2023-39318, CVE-2023-39319, CVE-2026-27142, CVE-2026-32289 |
crypto/x509 |
High |
CVE-2025-58187, CVE-2025-58188, CVE-2025-61727, CVE-2025-61729, CVE-2026-32280, CVE-2026-32281 |
net/http/httputil |
High |
CVE-2021-33197, CVE-2021-36221, CVE-2022-2880, CVE-2026-39825 |
math/big |
High |
CVE-2021-33198, CVE-2022-23772, CVE-2022-32189 |
crypto/elliptic |
High |
CVE-2022-23806, CVE-2022-28327 |
mime/multipart |
High |
CVE-2022-41725, CVE-2023-24536 |
regexp/syntax |
High |
CVE-2022-41715 |
path/filepath |
High |
CVE-2022-30632, CVE-2023-45284 |
encoding/gob |
High |
CVE-2022-30635 |
encoding/xml |
High |
CVE-2022-28131, CVE-2022-30633 |
regexp |
High |
CVE-2022-24921 |
encoding/pem |
High |
CVE-2022-24675, CVE-2025-61723 |
net/http/internal |
Medium |
CVE-2023-39326 |
runtime |
High |
CVE-2023-29403 |
net/textproto |
High |
CVE-2023-24534, CVE-2025-61724 |
database/sql |
High |
CVE-2025-47907 |
net/url |
High |
CVE-2025-47912, CVE-2025-61726, CVE-2026-25679 |
compress/gzip |
High |
CVE-2022-30631 |
net |
High |
CVE-2021-33195 |
os/exec |
Medium |
CVE-2025-47906 |
os |
Low |
CVE-2025-22873, CVE-2026-27139 |
syscall |
Medium |
CVE-2021-44717, CVE-2022-29526 |
encoding/asn1 |
Medium |
CVE-2025-58185 |
Group 2 — Third-Party Go Dependencies (pinned to old versions)
| Package |
Vulnerable Version |
Severity |
CVE(s) |
Suggested Fix |
github.com/dgrijalva/jwt-go |
3.2.0 |
High |
CVE-2020-26160 |
Migrate to github.com/golang-jwt/jwt/v5 |
github.com/apache/thrift/lib/go/thrift |
0.0.0-20161221203622-b2a4d4ae21c7 |
High |
CVE-2019-0210 |
Upgrade to github.com/apache/thrift ≥ 0.12.0 |
google.golang.org/grpc |
1.34.0 |
High |
GO-2023-2153 |
Upgrade to ≥ 1.56.3 |
google.golang.org/protobuf |
1.25.1-0.20201020201750-d3470999428b |
High |
CVE-2024-24786 |
Upgrade to ≥ 1.33.0 |
gopkg.in/yaml.v3 |
3.0.0-20210106172901-c476de37821d |
High |
CVE-2022-28948 |
Upgrade to ≥ 3.0.1 |
gopkg.in/square/go-jose.v2 |
2.5.1 |
Medium |
CVE-2024-28180 |
Migrate to github.com/go-jose/go-jose/v3 ≥ 3.0.3 |
github.com/sirupsen/logrus |
1.7.0 |
High |
CVE-2025-65637 |
Upgrade to ≥ 1.9.3 |
Suggested Fix
- Upgrade Go toolchain used to build
tctl to Go 1.22+ — resolves all 25 stdlib CVEs in one step.
- Update
go.mod for the affected third-party modules:
- Replace
github.com/dgrijalva/jwt-go → github.com/golang-jwt/jwt/v5
- Upgrade
github.com/apache/thrift → ≥ 0.12.0
- Upgrade
google.golang.org/grpc → ≥ 1.56.3
- Upgrade
google.golang.org/protobuf → ≥ 1.33.0
- Upgrade
gopkg.in/yaml.v3 → ≥ 3.0.1
- Migrate
gopkg.in/square/go-jose.v2 → github.com/go-jose/go-jose/v3 ≥ 3.0.3
- Upgrade
github.com/sirupsen/logrus → ≥ 1.9.3
References
Summary
The
temporal/admin-toolsDocker image ships atctlbinary compiled with Go 1.15.11, which reached end-of-life in August 2021. Container security scanning flags 32 vulnerabilities across 25 Go standard-library packages and 7 third-party Go modules embedded in the binary.None of these appear to have been previously reported in this repository.
Root causes
tctlcompiled with Go 1.15.11 (EOL) — all stdlib CVEs stem from this; upgrading the Go toolchain resolves them in one go.jwt-go,grpc,protobuf,yaml.v3,logrus,go-jose,thrift.Affected artifact
temporal/admin-tools/usr/local/bin/tctl1.15.11Vulnerability Details
Group 1 — Go Standard Library (fix: rebuild
tctlwith Go ≥ 1.22)net/httpcrypto/tlshtml/templatecrypto/x509net/http/httputilmath/bigcrypto/ellipticmime/multipartregexp/syntaxpath/filepathencoding/gobencoding/xmlregexpencoding/pemnet/http/internalruntimenet/textprotodatabase/sqlnet/urlcompress/gzipnetos/execossyscallencoding/asn1Group 2 — Third-Party Go Dependencies (pinned to old versions)
github.com/dgrijalva/jwt-go3.2.0github.com/golang-jwt/jwt/v5github.com/apache/thrift/lib/go/thrift0.0.0-20161221203622-b2a4d4ae21c7github.com/apache/thrift≥ 0.12.0google.golang.org/grpc1.34.0google.golang.org/protobuf1.25.1-0.20201020201750-d3470999428bgopkg.in/yaml.v33.0.0-20210106172901-c476de37821dgopkg.in/square/go-jose.v22.5.1github.com/go-jose/go-jose/v3≥ 3.0.3github.com/sirupsen/logrus1.7.0Suggested Fix
tctlto Go 1.22+ — resolves all 25 stdlib CVEs in one step.go.modfor the affected third-party modules:github.com/dgrijalva/jwt-go→github.com/golang-jwt/jwt/v5github.com/apache/thrift→ ≥ 0.12.0google.golang.org/grpc→ ≥ 1.56.3google.golang.org/protobuf→ ≥ 1.33.0gopkg.in/yaml.v3→ ≥ 3.0.1gopkg.in/square/go-jose.v2→github.com/go-jose/go-jose/v3≥ 3.0.3github.com/sirupsen/logrus→ ≥ 1.9.3References
golang-jwt/jwtmigration guide: https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md