Skip to content

Security: tctl binary in admin-tools image compiled with Go 1.15.11 (EOL) — 25+ stdlib CVEs + stale Go dependencies #1107

Description

@vidhya03

Summary

The temporal/admin-tools Docker image ships a tctl binary compiled with Go 1.15.11, which reached end-of-life in August 2021. Container security scanning flags 32 vulnerabilities across 25 Go standard-library packages and 7 third-party Go modules embedded in the binary.

None of these appear to have been previously reported in this repository.

Root causes

  1. tctl compiled with Go 1.15.11 (EOL) — all stdlib CVEs stem from this; upgrading the Go toolchain resolves them in one go.
  2. Third-party Go module dependencies pinned to old versionsjwt-go, grpc, protobuf, yaml.v3, logrus, go-jose, thrift.

Affected artifact

Field Value
Image temporal/admin-tools
Binary /usr/local/bin/tctl
Go runtime in binary 1.15.11

Vulnerability Details

Group 1 — Go Standard Library (fix: rebuild tctl with Go ≥ 1.22)

Package Severity CVE(s)
net/http High CVE-2021-31525, CVE-2021-44716, CVE-2022-1705, CVE-2022-27664, CVE-2022-32148, CVE-2022-41717, CVE-2022-41723, CVE-2023-29406, CVE-2023-39325, CVE-2023-45288, CVE-2025-22870
crypto/tls High CVE-2021-34558, CVE-2022-30629, CVE-2022-41724, CVE-2023-29409, CVE-2023-45287, CVE-2025-58189, CVE-2025-61730, CVE-2025-68121, CVE-2026-32283
html/template High CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400, CVE-2023-39318, CVE-2023-39319, CVE-2026-27142, CVE-2026-32289
crypto/x509 High CVE-2025-58187, CVE-2025-58188, CVE-2025-61727, CVE-2025-61729, CVE-2026-32280, CVE-2026-32281
net/http/httputil High CVE-2021-33197, CVE-2021-36221, CVE-2022-2880, CVE-2026-39825
math/big High CVE-2021-33198, CVE-2022-23772, CVE-2022-32189
crypto/elliptic High CVE-2022-23806, CVE-2022-28327
mime/multipart High CVE-2022-41725, CVE-2023-24536
regexp/syntax High CVE-2022-41715
path/filepath High CVE-2022-30632, CVE-2023-45284
encoding/gob High CVE-2022-30635
encoding/xml High CVE-2022-28131, CVE-2022-30633
regexp High CVE-2022-24921
encoding/pem High CVE-2022-24675, CVE-2025-61723
net/http/internal Medium CVE-2023-39326
runtime High CVE-2023-29403
net/textproto High CVE-2023-24534, CVE-2025-61724
database/sql High CVE-2025-47907
net/url High CVE-2025-47912, CVE-2025-61726, CVE-2026-25679
compress/gzip High CVE-2022-30631
net High CVE-2021-33195
os/exec Medium CVE-2025-47906
os Low CVE-2025-22873, CVE-2026-27139
syscall Medium CVE-2021-44717, CVE-2022-29526
encoding/asn1 Medium CVE-2025-58185

Group 2 — Third-Party Go Dependencies (pinned to old versions)

Package Vulnerable Version Severity CVE(s) Suggested Fix
github.com/dgrijalva/jwt-go 3.2.0 High CVE-2020-26160 Migrate to github.com/golang-jwt/jwt/v5
github.com/apache/thrift/lib/go/thrift 0.0.0-20161221203622-b2a4d4ae21c7 High CVE-2019-0210 Upgrade to github.com/apache/thrift ≥ 0.12.0
google.golang.org/grpc 1.34.0 High GO-2023-2153 Upgrade to ≥ 1.56.3
google.golang.org/protobuf 1.25.1-0.20201020201750-d3470999428b High CVE-2024-24786 Upgrade to ≥ 1.33.0
gopkg.in/yaml.v3 3.0.0-20210106172901-c476de37821d High CVE-2022-28948 Upgrade to ≥ 3.0.1
gopkg.in/square/go-jose.v2 2.5.1 Medium CVE-2024-28180 Migrate to github.com/go-jose/go-jose/v3 ≥ 3.0.3
github.com/sirupsen/logrus 1.7.0 High CVE-2025-65637 Upgrade to ≥ 1.9.3

Suggested Fix

  1. Upgrade Go toolchain used to build tctl to Go 1.22+ — resolves all 25 stdlib CVEs in one step.
  2. Update go.mod for the affected third-party modules:
    • Replace github.com/dgrijalva/jwt-gogithub.com/golang-jwt/jwt/v5
    • Upgrade github.com/apache/thrift → ≥ 0.12.0
    • Upgrade google.golang.org/grpc → ≥ 1.56.3
    • Upgrade google.golang.org/protobuf → ≥ 1.33.0
    • Upgrade gopkg.in/yaml.v3 → ≥ 3.0.1
    • Migrate gopkg.in/square/go-jose.v2github.com/go-jose/go-jose/v3 ≥ 3.0.3
    • Upgrade github.com/sirupsen/logrus → ≥ 1.9.3

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions