RHSA-2026:5851
Vulnerability from csaf_redhat - Published: 2026-03-25 23:56 - Updated: 2026-03-30 17:41Summary
Red Hat Security Advisory: DevWorkspace Operator 0.40.0 release.
Severity
Important
Notes
Topic: DevWorkspace Operator 0.40.0 has been released.
Details: The DevWorkspace Operator extends OpenShift to provide DevWorkspace support.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Vendor Fix
To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.
https://access.redhat.com/errata/RHSA-2026:5851
Workaround
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.
7.5 (High)
Vendor Fix
To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.
https://access.redhat.com/errata/RHSA-2026:5851
Workaround
To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Vendor Fix
To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.
https://access.redhat.com/errata/RHSA-2026:5851
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
7.4 (High)
Vendor Fix
To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.
https://access.redhat.com/errata/RHSA-2026:5851
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "DevWorkspace Operator 0.40.0 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "The DevWorkspace Operator extends OpenShift to provide DevWorkspace support.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:5851",
"url": "https://access.redhat.com/errata/RHSA-2026:5851"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61726",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61728",
"url": "https://access.redhat.com/security/cve/CVE-2025-61728"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61729",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-68121",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://redhat.atlassian.net/browse/CRW-10575",
"url": "https://redhat.atlassian.net/browse/CRW-10575"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_5851.json"
}
],
"title": "Red Hat Security Advisory: DevWorkspace Operator 0.40.0 release.",
"tracking": {
"current_release_date": "2026-03-30T17:41:10+00:00",
"generator": {
"date": "2026-03-30T17:41:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2026:5851",
"initial_release_date": "2026-03-25T23:56:41+00:00",
"revision_history": [
{
"date": "2026-03-25T23:56:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-25T23:56:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-30T17:41:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "DevWorkspace Operator 0.4",
"product": {
"name": "DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:devworkspace:0.40::el9"
}
}
}
],
"category": "product_family",
"name": "DevWorkspace Operator"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"product_id": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-rhel9-operator@sha256%3A030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30?arch=amd64\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953459"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"product_id": "registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-operator-bundle@sha256%3Ab22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5?arch=amd64\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773959130"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-backup-rhel9@sha256%3A0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc?arch=amd64\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773527262"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-clone-rhel9@sha256%3A11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30?arch=amd64\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953548"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"product_id": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-rhel9-operator@sha256%3A90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645?arch=s390x\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953459"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-backup-rhel9@sha256%3Aab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f?arch=s390x\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773527262"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-clone-rhel9@sha256%3A16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53?arch=s390x\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953548"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le",
"product_id": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-rhel9-operator@sha256%3Ade7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44?arch=ppc64le\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953459"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-backup-rhel9@sha256%3A662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea?arch=ppc64le\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773527262"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-clone-rhel9@sha256%3Abf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50?arch=ppc64le\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953548"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"product_id": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-rhel9-operator@sha256%3A783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf?arch=arm64\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953459"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-backup-rhel9@sha256%3A812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464?arch=arm64\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773527262"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"product": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"product_id": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"product_identification_helper": {
"purl": "pkg:oci/devworkspace-project-clone-rhel9@sha256%3A955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514?arch=arm64\u0026repository_url=registry.redhat.io/devworkspace\u0026tag=1773953548"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64 as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64 as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64 as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64 as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64 as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64 as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64 as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le as a component of DevWorkspace Operator 0.4",
"product_id": "DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
},
"product_reference": "registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le",
"relates_to_product_reference": "DevWorkspace Operator 0.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"known_not_affected": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-25T23:56:41+00:00",
"details": "To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:5851"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61728",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:39.965024+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434431"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker needs to be able to process a malicious zip archive with an application using the archive/zip package. Additionally, this vulnerability can cause a Go application to consume an excessive amount of CPU and memory, eventually resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"known_not_affected": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61728"
},
{
"category": "external",
"summary": "RHBZ#2434431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61728"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"category": "external",
"summary": "https://go.dev/cl/736713",
"url": "https://go.dev/cl/736713"
},
{
"category": "external",
"summary": "https://go.dev/issue/77102",
"url": "https://go.dev/issue/77102"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4342",
"url": "https://pkg.go.dev/vuln/GO-2026-4342"
}
],
"release_date": "2026-01-28T19:30:31.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-25T23:56:41+00:00",
"details": "To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:5851"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"known_not_affected": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-25T23:56:41+00:00",
"details": "To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:5851"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: Unexpected session resumption in crypto/tls",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"known_not_affected": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-25T23:56:41+00:00",
"details": "To start using the DevWorkspace Operator, install the DevWorkspace Operator from OpenShift OperatorHub on OpenShift Container Platform 4.16 or higher.",
"product_ids": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:5851"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-operator-bundle@sha256:b22a283fc83e7b6d99cd35afd6c8b066026fb8699a7d48a64eceea1f7a4262c5_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:0d1a98bd35453d85403050bf2d5a60399048bef2d9a01b44438da3fc991cdddc_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:662efae63c52da171bef532813311884c14d24dfe561ed338298965d1b49e1ea_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:812e9962c2b538d56054b0373df679f02e92f47457049a5acda883d047816464_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-backup-rhel9@sha256:ab53d75e3c7adb9f71d5c3e69158bee347767f4935dcea57af1a55528c4b6e4f_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:11c561bf7aac3f3ac3adfbc437a3f56ef7fdf494f02c161bde982156b36d8b30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:16c8a2101e6d1cb0db4834d42fe8b9bfa24e70dd2c03691cd5e5e6d7c2d1de53_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:955b69b44e7678aa7cac4d88f3142a2e4c44fe586ecf521034ebae40539e8514_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9@sha256:bf5514d940f858292f98853f4a939d8e89977f0bc72b5be34304bfb60b52ee50_ppc64le",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:030160d105ab2fd0f9815527f1b37055c4f734bee9f37f7ea923a506f8e39c30_amd64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:783ba2b9c36eabf2d04c30be1fd025502dacfd9138e9650c1d91dc7670c50faf_arm64",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:90826bb4d26aa81609923bf06310f98ffcc01754bf21d6b78123b1e1dff39645_s390x",
"DevWorkspace Operator 0.4:registry.redhat.io/devworkspace/devworkspace-rhel9-operator@sha256:de7e7e42e24111905f25990ed89adfbaee8b4467b9889142dff6091f4719da44_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: Unexpected session resumption in crypto/tls"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…