fix: patch CVE-2025-58183 in stdlib v1.25.0

[shibd]

Summary

Fix CVE-2025-58183: Unbounded allocation vulnerability in Go stdlib archive/tar when parsing GNU sparse map

CVE Details

• CVE ID: CVE-2025-58183
• Severity: HIGH
• Affected Component: pulsarctl (Go stdlib v1.25.0)
• NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-58183

How the CVE Was Introduced

The vulnerable stdlib v1.25.0 was introduced into the pulsarctl project through the go.mod directive.

Context:

• pulsarctl is a Go command-line tool for managing Pulsar clusters
• pulsarctl gets compiled into a binary and included in sn-platform-slim:4.0.8.5 image
• The binary is placed at /pulsar/plugins/pulsarctl-kube
• Trivy vulnerability scanning detected stdlib v1.25.0 in the compiled binary

Introduction path:

1. pulsarctl go.mod specified go 1.25.0 which contains the vulnerable archive/tar implementation
2. pulsarctl v4.0.4.2 was built with Go 1.25.0
3. This version was used to build sn-platform-slim:4.0.8.5
4. The compiled pulsarctl binary was copied into the image
5. Trivy scan of sn-platform-slim:4.0.8.5 detected CVE-2025-58183

Why This Fix Resolves the CVE

Upgrading to Go 1.25.2 eliminates the vulnerability:

1. Patch included: Go 1.25.2 includes the fix for CVE-2025-58183
2. Fix details: The patch adds proper bounds on sparse region data blocks when parsing GNU tar pax 1.0 sparse files
3. Backward compatibility: Go 1.25.2 is a patch release within the 1.25.x series, maintaining API compatibility
4. No code changes required: Simply upgrading the Go version in go.mod incorporates the upstream fix

After this PR is merged:

• pulsarctl will be built with Go 1.25.2 (safe version)
• Future sn-platform-slim releases will include the fixed pulsarctl binary
• Trivy scans will no longer report CVE-2025-58183

Changes Made

• Updated go 1.25.0 to go 1.25.2 in go.mod
• go.sum will be automatically updated by Go toolchain during build

Verification

• PR reviewed and approved
• pulsarctl build succeeds with Go 1.25.2
• pulsarctl tests pass
• After release, Trivy scan of sn-platform-slim shows no CVE-2025-58183

References

• Original Issue: streamnative/eng-support-tickets#3507
• CVE Report: https://nvd.nist.gov/vuln/detail/CVE-2025-58183
• Go Release: https://go.dev/doc/go1.25.2
• Fix Discussion: https://go.dev/cl/709861
• Similar Previous Fixes:
  • Issue #3473 - CVE-2025-58183 in sn-platform-slim:4.1.0.11
  • Issue #3418 - CVE-2025-61729 in sn-platform-slim:4.1.0.9

[github-actions]

@shibd:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

[merlimat]

@shibd There are more CVEs to fix. I've created a new PR st #1967