Alpine: multiple go packages: security update to 1.24.8-r0

medium Tenable Cloud Security Plugin ID 435590

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The ParseAddress function constructs domain-literal address components through repeated string
concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.
(CVE-2025-61725)

- The Parse function permits values other than IPv6 addresses to be included in square brackets within the
host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component,
enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not
appear within square brackets. Parse did not enforce this requirement. (CVE-2025-47912)

- tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0
sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader
to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a
small compressed input can result in large allocations. (CVE-2025-58183)

- Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory
exhaustion. (CVE-2025-58185)

- Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have
a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server
allocate a large amount of structs, causing large memory consumption. (CVE-2025-58186)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-47912

https://security.alpinelinux.org/vuln/CVE-2025-58183

https://security.alpinelinux.org/vuln/CVE-2025-58185

https://security.alpinelinux.org/vuln/CVE-2025-58186

https://security.alpinelinux.org/vuln/CVE-2025-58187

https://security.alpinelinux.org/vuln/CVE-2025-58188

https://security.alpinelinux.org/vuln/CVE-2025-58189

https://security.alpinelinux.org/vuln/CVE-2025-61723

https://security.alpinelinux.org/vuln/CVE-2025-61724

https://security.alpinelinux.org/vuln/CVE-2025-61725

Plugin Details

Severity: Medium

ID: 435590

Version: Revision 1.12

Type: Local

Published: 10/12/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2025-61725

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2025-58189

Vulnerability Information

Exploit Ease: No known exploits are available

Reference Information

CVE: CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725