fix(deps): update module github.com/aquasecurity/trivy to v0.71.0 [security]#1256
fix(deps): update module github.com/aquasecurity/trivy to v0.71.0 [security]#1256renovate[bot] wants to merge 1 commit into
Conversation
ℹ️ Artifact update noticeFile name: scanner/keppel/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot could not run the full agentic suite for this review because it was automatically requested on a bot-authored pull request. Request a review from Copilot under Reviewers to retry with the full agentic suite. Improved support for bot-authored pull requests is coming soon.
Updates the Keppel scanner’s Go module dependencies (notably Trivy and Kubernetes-related libs) and bumps the declared Go language/toolchain version.
Changes:
- Bumped the module’s
goversion ingo.mod. - Updated multiple dependencies (e.g.,
aquasecurity/trivy, container/K8s/OpenTelemetry ecosystem packages). - Regenerated
go.sumto reflect the updated dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| scanner/keppel/go.mod | Raises the declared Go version and updates/extends required module versions. |
| scanner/keppel/go.sum | Syncs module checksums to the new dependency versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This PR contains the following updates:
v0.68.0→v0.71.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
CVE-2026-54448 / GHSA-q3fv-x8vg-qqm4
More information
Details
Summary
When Trivy scans a Helm chart archive (
.tgz), its custom tar unpacker reads each entry withio.ReadAll(tr)and no size limit. An attacker who can place a malicious.tgzfile in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.Affected configurations
Exploitation requires the attacker to place a crafted
.tgzfile in a location that Trivy will scan as a Helm chart. This applies to the following scan targets:trivy config <dir>.tgzHelm chart (misconfiguration scanning is always enabled)trivy filesystem --scanners misconf <dir>.tgzHelm chart and--scanners misconfis explicitly enabledtrivy image --scanners misconf <image>.tgzHelm chart and--scanners misconfis explicitly enabledRealistic scenarios include:
trivy config .on a repository where a contributor can submit a pull request containing a crafted chart archive.--scanners misconf, whose build context includes untrusted.tgzfiles.Impact
An attacker who satisfies the conditions above can exhaust all available memory on the host running Trivy. The OS OOM killer will terminate the Trivy process and may affect other processes sharing the same host or CI runner.
The practical impact in CI environments is denial of service: the scan fails, the pipeline is blocked, and repeated submissions re-trigger the same condition. Cloud CI runners may also incur additional costs for consumed resources.
There is no impact on confidentiality or integrity of the scanned system.
Patches
Fixed in Trivy
v0.71.0(#10718). The custom tar unpacker was replaced witharchive.LoadArchiveFilesfrom the officialhelm.sh/helm/v4SDK, which enforces per-entry and total size limits and validates archive structure. Users should upgrade tov0.71.0or later.Workarounds
If upgrading is not immediately possible:
--skip-dirsto exclude directories containing untrusted Helm chart archives from the scan..tgzfiles.Credits
Reported by @jamesgol.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
aquasecurity/trivy (github.com/aquasecurity/trivy)
v0.71.0⚡ Highlights ⚡
👉 https://redirect.github.com/aquasecurity/trivy/discussions/10767
Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01
v0.70.0⚡ Highlights ⚡
👉 https://redirect.github.com/aquasecurity/trivy/discussions/10546
Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0700-2026-04-16
v0.69.3Changelog
6fb20c8release: v0.69.3 [release/v0.69] (#10293)dabefecfix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#10291)v0.69.2Changelog
cfa322erelease: v0.69.2 [release/v0.69] (#10266)86debcefix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#10267)cf3d4cdfix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#10264)6dfd3b0ci: remove apidiff workflowv0.69.1v0.69.0v0.68.2v0.68.1Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.