Snyk - Open Source Security

Snyk test report

June 22nd 2025, 12:23:32 am (UTC+00:00)

Scanned the following paths:
  • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
  • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
  • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
  • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
24 known vulnerabilities
33 vulnerable dependency paths
1131 dependencies

Allocation of Resources Without Limits or Throttling

high severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Vulnerable module: golang.org/x/oauth2/jws
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* golang.org/x/oauth2/jws@v0.24.0

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

Remediation

Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

References

More about this vulnerability

Server-side Request Forgery (SSRF)

high severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Vulnerable module: golang.org/x/net/http/httpproxy
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* golang.org/x/net/http/httpproxy@v0.32.0

Overview

golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

Remediation

Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

References

More about this vulnerability

Allocation of Resources Without Limits or Throttling

high severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Vulnerable module: golang.org/x/crypto/ssh
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* golang.org/x/crypto/ssh@v0.31.0

Overview

golang.org/x/crypto/ssh is a SSH client and server

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

Remediation

Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

References

More about this vulnerability

Asymmetric Resource Consumption (Amplification)

high severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Vulnerable module: github.com/golang-jwt/jwt/v5
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/golang-jwt/jwt/v5@v5.2.1

Overview

Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

Remediation

Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

References

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/vault/api
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/vault/api@v1.15.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/serf/coordinate
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.1

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/serf/coordinate@v0.10.1

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex
  • Package Manager: golang
  • Module: github.com/hashicorp/hcl/v2
  • Introduced through: github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0

Detailed paths

  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2@v2.13.0
  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0
  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0
  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2/gohcl@v2.13.0
  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2/hclparse@v2.13.0
  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0
  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2/hclwrite@v2.13.0
  • Introduced through: github.com/dexidp/dex@* github.com/hashicorp/hcl/v2/json@v2.13.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/hcl
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/hcl@v1.0.0
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/hcl/hcl/token@v1.0.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/golang-lru/simplelru
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/golang-lru/simplelru@v1.0.2

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-uuid
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-uuid@v1.0.3

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-sockaddr
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.7

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-sockaddr@v1.0.7
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-sockaddr/template@v1.0.7

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-secure-stdlib/strutil
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-secure-stdlib/parseutil
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-secure-stdlib/awsutil
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-rootcerts
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-rootcerts@v1.0.2

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-retryablehttp
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-retryablehttp@v0.7.7

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-multierror
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-multierror@v1.1.1

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-immutable-radix
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-immutable-radix@v1.3.1

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/go-cleanhttp
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/go-cleanhttp@v0.5.2

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/errwrap
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/errwrap@v1.1.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/hashicorp/consul/api
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/consul/api@v1.30.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/hashicorp/consul/api@v1.30.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Module: github.com/gosimple/slug
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.14.0

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/gosimple/slug@v1.14.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex
  • Package Manager: golang
  • Module: github.com/go-sql-driver/mysql
  • Introduced through: github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.9.2

Detailed paths

  • Introduced through: github.com/dexidp/dex@* github.com/go-sql-driver/mysql@v1.9.2

MPL-2.0 license

More about this vulnerability

Allocation of Resources Without Limits or Throttling

medium severity
  • Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate
  • Package Manager: golang
  • Vulnerable module: github.com/go-jose/go-jose/v4
  • Introduced through: github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2

Detailed paths

  • Introduced through: github.com/hairyhenderson/gomplate/v4@* github.com/go-jose/go-jose/v4@v4.0.2

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

Workaround

This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

Remediation

Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

References

More about this vulnerability