Upgrade out of vulnerabilities in server and temporal-ui

bbemis · April 9, 2025, 2:39pm

Hi,

I am using a trivy scan and a grype scan to detect vulnerabilities in my project and we recently discovered a handful of vulnerabilities in the temporal-server image version 1.27.2 and the temporal-ui version 2.36.2

would it be possible to upgrade out of these in the next release for these images?

Temporal Server

CVE-2024-45341
CVE-2024-45336
CVE-2025-22870 / GHSA-qxp5-gwg8-xv66
CVE-2025-30204 / GHSA-mh63-6h87-95cp

Temporal UI

CVE-2024-24789
CVE-2024-24790
CVE-2024-24791
CVE-2024-34155
CVE-2024-34158
CVE-2024-34156
CVE-2024-45341
CVE-2024-45336

bbemis · April 10, 2025, 3:45pm

following up because I did just see a couple more vulnerabilities get flagged that would be nice to upgrade out of as well

Temporal GUI & Temporal Server

CVE-2025-22871 - net/http - Current version: 1.23.0, fixed version(s): 1.23.8, 1.24.2

In the python SDK

GHSA-2gh3-rmm4-6rq5 - protobuf - Current version: 2.28.0, fixed version(s): 3.7.2
GHSA-pph8-gcv7-4qj5 - pyo3 - Current version: 0.20.3, fixed version(s): 0.24.1
GHSA-4p46-pwfr-66x6 - ring - Current version: 0.17.8, fixed version(s): 0.17.12
GHSA-rr8g-9fpq-6wmg - tokio - Current version: 1.42.0, fixed version(s): 1.44.2, 1.38.2, 1.43.1
CVE-2025-29787 - zip - Current version: 2.2.2, fixed version(s): 2.3.0

Chang_Deng · April 15, 2025, 10:03pm

We also see those vulnerabilities using Xray, Grype, and Trivy scans in those images

temporalio/server:1.27.2.0
temporalio/ui:2.36.2
temporalio/admin-tools:1.27

Take temporalio/server:1.27.2.0 as an example, upon reviewing the source code for the v1.27.2 release, we found that these vulnerabilities have already been addressed. For example, the scan reports a vulnerability in github.com/golang-jwt/jwt/v4:4.5.1 and suggests it is fixed in v4.5.2.

According to the go.mod file in the v1.27.2 release (temporal/go.mod at v1.27.2 · temporalio/temporal · GitHub), it is already using v4.5.2, the same thing applies to other vulnerabilities in the Xray scan for this release.

Question to Temporal: does the image have been built before the dependency was upgraded or a sub-dependency still be pulling in an older version, even if the root module uses a fixed one?

jreynolds23 · April 16, 2025, 8:22pm

Thanks for reporting these vulnerabilities in temporal-server 1.27.2, temporal-ui 2.36.2, and admin-tools:1.27.

While we monitor this forum, please consider opening GitHub issues for security vulnerabilities at:

Server: GitHub · Where software is built
UI: GitHub · Where software is built
Admin Tools: GitHub · Where software is built

This helps our development team better track and address these concerns within our workflow. Including the CVE details you’ve provided would be very helpful.

For customers with support contracts, you’re welcome to continue using our support portal.

Thanks for helping us improve Temporal’s security!

Best regards,
Support Team

Topic		Replies	Views
Upgrade out of CVEs Community Support python-sdk , general-impl	1	175	June 3, 2024
Upgrade go stdlib to resolve CVEs Server Deployment	2	178	October 16, 2024
Latest versions of server and UI have security issues Community Support	1	411	November 8, 2022
Security vulnerability in temporal image Server Deployment security	3	624	October 18, 2022
Vulnerability detected by Snyk in Go SDK Community Support go-sdk	0	612	October 12, 2023

Upgrade out of vulnerabilities in server and temporal-ui

Related topics