Update Dockerfile to fix CVE-2025-61729 and CVE-2025-61727

[tejas777]

Description

The Dockerfile currently uses golang:1.25-alpine3.21 as the base image, which contains Go 1.25.4. This version has two known CVEs that need to be addressed:

• CVE-2025-61729 (High severity) - crypto/x509: excessive resource consumption in certificate validation
• CVE-2025-61727 (Medium severity) - crypto/x509: improper application of excluded DNS name constraints when verifying wildcard names

Impact

These CVEs affect:

• Docker images built from the current Dockerfile
• Any containerized deployments using the official image
• Database connections using TLS/SSL certificates
• Certificate validation in PKI environments
• Applications relying on mutual TLS authentication

CVE-2025-61729 can lead to Denial of Service (DoS) through resource exhaustion when processing malicious certificates with excessive hostname configurations.

CVE-2025-61727 allows bypassing excluded subdomain constraints using wildcard SANs. For example, a constraint that excludes test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com, potentially allowing unauthorized certificate usage.

Proposed Fix

Update the Dockerfile to use Go 1.25.5 or later, which includes fixes for both CVEs.

Current (Go 1.25.4):

FROM golang:1.25-alpine3.21 AS builder

Proposed (Go 1.25.5):

FROM golang:1.25.5-alpine3.21 AS builder

Vulnerability Details

CVE-2025-61729 (High Severity)

• CVSS Score: 7.5 (High)
• Affected Package: crypto/x509
• CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
• Go Issue: golang/go#76445

CVE-2025-61727 (Medium Severity)

• CVSS Score: 6.5 (Medium)
• Affected Package: crypto/x509
• CWE: CWE-295 (Improper Certificate Validation)
• Go Issue: golang/go#76442

References

• CVE-2025-61729 - NVD
• CVE-2025-61727 - NVD
• Go 1.25.5 Release Notes
• Go Announcement
• Related to Multiple CVEs reported by Trivy scan tool for latest version 4.19.0 #1332, Bumping golang to latest version required due to multiple HIGH CVEs #1327 (previous CVE issues)

Additional Context

Both vulnerabilities were fixed in Go 1.25.5 (released December 2, 2025). The update is a simple version bump with no breaking changes expected. Given that golang-migrate often handles database connections with TLS/SSL, addressing these certificate validation vulnerabilities is important for secure deployments.

Proof for golang:1.25-alpine3.21 to have both vulnerabilities

Link: https://hub.docker.com/layers/library/golang/1.25-alpine3.21/images/sha256-b6ae55918d847924a00d6734c873fa9631fdbcbb9ec9d6edafc5ed80d353c35b

Checklist

• Update Dockerfile base image to golang:1.25.5-alpine3.21
• Test build process with updated image
• Verify TLS/SSL connections work correctly
• Update CI/CD configurations if needed
• Release new version with updated Dockerfile