chore: bump golang to 1.25.7 because of cve

[Skarlso]

Problem Statement

There is a CVE in 1.25.6

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ HIGH     │ fixed  │ v1.25.6           │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying │
│         │                │          │        │                   │                              │ Config has ......                                          │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴────────────────────────────────────────────────────────────┘

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Go Version Bump to 1.25.7 for CVE Mitigation

This PR bumps the Go toolchain version from 1.25.6 to 1.25.7 across the repository due to a CVE.

Changes:

• Updated all go.mod files (apis, e2e, generators, providers, runtime) from go 1.25.6 to go 1.25.7
• Updated Dockerfile base images from golang:1.25.6 to golang:1.25.7:
  • Dockerfile.standalone
  • e2e/Dockerfile
  • tilt.debug.dockerfile

Impact:

• No functional code changes; purely a tooling/build dependency version update
• ~57 files modified, each with minimal changes (+1/-1 lines)
• All changes are consistent version increments with updated image digests

[coderabbitai]

Walkthrough

Go language version is bumped from 1.25.6 to 1.25.7 across the codebase, including Docker base images and go.mod files in root, APIs, generators, providers, and runtime modules. Total of 57 files updated with consistent version change.

Changes

Cohort / File(s)	Summary
Docker Base Images Dockerfile.standalone, e2e/Dockerfile, tilt.debug.dockerfile	Updated base golang image from 1.25.6 to 1.25.7 with new sha256 digests; all other build instructions unchanged.
Root and Core Modules go.mod, apis/go.mod, runtime/go.mod, e2e/go.mod	Go toolchain version updated from 1.25.6 to 1.25.7; no dependency or module structure changes.
Generator Modules generators/v1/acr/go.mod, generators/v1/cloudsmith/go.mod, generators/v1/ecr/go.mod, generators/v1/fake/go.mod, generators/v1/gcr/go.mod, generators/v1/github/go.mod, generators/v1/grafana/go.mod, generators/v1/mfa/go.mod, generators/v1/password/go.mod, generators/v1/quay/go.mod, generators/v1/sshkey/go.mod, generators/v1/sts/go.mod, generators/v1/uuid/go.mod, generators/v1/vault/go.mod, generators/v1/webhook/go.mod	Go language version bumped from 1.25.6 to 1.25.7 across all generator modules; no functional or dependency changes.
Provider Modules providers/v1/akeyless/go.mod, providers/v1/aws/go.mod, providers/v1/azure/go.mod, providers/v1/barbican/go.mod, providers/v1/beyondtrust/go.mod, providers/v1/bitwarden/go.mod, providers/v1/chef/go.mod, providers/v1/cloudru/go.mod, providers/v1/conjur/go.mod, providers/v1/delinea/go.mod, providers/v1/doppler/go.mod, providers/v1/dvls/go.mod, providers/v1/fake/go.mod, providers/v1/fortanix/go.mod, providers/v1/gcp/go.mod, providers/v1/github/go.mod, providers/v1/gitlab/go.mod, providers/v1/ibm/go.mod, providers/v1/infisical/go.mod, providers/v1/keepersecurity/go.mod, providers/v1/kubernetes/go.mod, providers/v1/ngrok/go.mod, providers/v1/onboardbase/go.mod, providers/v1/onepassword/go.mod, providers/v1/onepasswordsdk/go.mod, providers/v1/oracle/go.mod, providers/v1/passbolt/go.mod, providers/v1/passworddepot/go.mod, providers/v1/previder/go.mod, providers/v1/pulumi/go.mod, providers/v1/scaleway/go.mod, providers/v1/secretserver/go.mod, providers/v1/senhasegura/go.mod, providers/v1/vault/go.mod, providers/v1/volcengine/go.mod, providers/v1/webhook/go.mod, providers/v1/yandex/go.mod	Go toolchain version bumped from 1.25.6 to 1.25.7 across all provider modules; no dependency or behavioral changes.

Possibly related PRs

• fix: Dockerfile standalone #5797: Modifies Dockerfile.standalone alongside base image updates, related to Go version and Docker image management.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Skarlso]

/ok-to-test sha=4956f923fc95c27b2f17c9e318d8ddc09c1b0b7c

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 3: The go.mod indicates "go 1.25.7" but CI/build images and toolchains
must be updated to match that runtime; update all CI configs, Dockerfiles,
builder images, and any pinned Go toolchain references (e.g., Dockerfiles using
golang:X, GitHub Actions setup-go, Bazel toolchains, or any gn toolchain
manifests) to use Go 1.25.7 so the build environment matches the go 1.25.7
declaration and includes the CVE fixes CVE-2025-61732 and CVE-2025-68121.

In `@providers/v1/delinea/go.mod`:
- Line 3: Update the PR/commit context to document the security fixes in the Go
upgrade: add the two CVE IDs and short descriptions—CVE-2025-61732 (cmd/cgo:
doc-comment code smuggling due to Go vs C/C++ comment parsing) and
CVE-2025-68121 (crypto/tls: unexpected session resumption when using
Config.GetConfigForClient)—and state that they are addressed by upgrading the go
directive to 1.25.7 in providers/v1/delinea/go.mod so reviewers and auditors can
see the security rationale for the version bump.

🧹 Nitpick comments (1)

providers/v1/onepasswordsdk/go.mod (1)

3-3: Consider documenting the CVE identifier in the PR description.

While the version bump is correct, it would be helpful to document the specific CVE identifier(s) in the PR description or commit message for future reference and audit trails.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Go 1.25.7 release notes CVE fixes

💡 Result:

Go 1.25.7 (released 2026-02-04) includes security fixes in the go command and crypto/tls. [1]

CVE fixes included in Go 1.25.7:

• CVE-2025-61732 (cmd/cgo): potential code smuggling via doc comments due to differences in Go vs C/C++ comment parsing. [2]
• CVE-2025-68121 (crypto/tls): session resumption may incorrectly succeed if the underlying tls.Config trust roots (ClientCAs/RootCAs) are mutated between the original and resumed handshakes (e.g., via Config.Clone + mutation or GetConfigForClient). [3]

Sources
[1] https://go.dev/doc/devel/release
[2] https://pkg.go.dev/vuln/GO-2026-4433
[3] https://pkg.go.dev/vuln/GO-2026-4337

---

Ensure CI/build images are updated to Go 1.25.7 for CVE fixes.

Go 1.25.7 (released 2026-02-04) includes critical security fixes: CVE-2025-61732 (cmd/cgo code smuggling) and CVE-2025-68121 (crypto/tls session resumption trust root mutations). Verify all CI/build toolchains and containers are updated to match this toolchain version.

🤖 Prompt for AI Agents

In `@go.mod` at line 3, The go.mod indicates "go 1.25.7" but CI/build images and
toolchains must be updated to match that runtime; update all CI configs,
Dockerfiles, builder images, and any pinned Go toolchain references (e.g.,
Dockerfiles using golang:X, GitHub Actions setup-go, Bazel toolchains, or any gn
toolchain manifests) to use Go 1.25.7 so the build environment matches the go
1.25.7 declaration and includes the CVE fixes CVE-2025-61732 and CVE-2025-68121.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Go 1.25.7 release

💡 Result:

Go 1.25.7 was released on February 4, 2026. It includes security fixes for the go command and crypto/tls, plus bug fixes for the compiler and crypto/x509. [1]

The upstream release tag is go1.25.7 (tag timestamp: 2026-02-03T20:02:30Z). [2]

Release details / milestone: see the Go 1.25.7 entry in Go’s release history (links to the GitHub milestone). [1]

Download/install: use the standard Go downloads for go1.25.7 (or update via your usual package manager/tooling). [2]

Sources: [1] [2]

---

🌐 Web query:

Go 1.25.7 CVE security vulnerabilities

💡 Result:

Go 1.25.7 (released 2026-02-04) includes fixes for two CVEs: [1][2]

• CVE-2025-61732 (cmd/cgo): potential code smuggling via doc comments due to differences in Go vs C/C++ comment parsing. Fixed in go1.25.7 (and go1.24.13). [2][3]
• CVE-2025-68121 (crypto/tls): unexpected session resumption when using Config.GetConfigForClient (and related config mutation patterns), potentially bypassing modified authentication requirements. Fixed in go1.25.7 (and go1.24.13). [2][4]

If you’re on Go 1.25.x, upgrading to 1.25.7 or later addresses both. [1][2]

---

Document the CVEs addressed by Go 1.25.7 in commit/PR context.

Go 1.25.7 (released February 4, 2026) addresses two CVEs:

• CVE-2025-61732 (cmd/cgo): code smuggling via doc comments due to Go vs C/C++ comment parsing differences
• CVE-2025-68121 (crypto/tls): unexpected session resumption when using Config.GetConfigForClient, potentially bypassing modified authentication

Consider including these CVE references in the PR description or commit message for clear security context.

🤖 Prompt for AI Agents

In `@providers/v1/delinea/go.mod` at line 3, Update the PR/commit context to
document the security fixes in the Go upgrade: add the two CVE IDs and short
descriptions—CVE-2025-61732 (cmd/cgo: doc-comment code smuggling due to Go vs
C/C++ comment parsing) and CVE-2025-68121 (crypto/tls: unexpected session
resumption when using Config.GetConfigForClient)—and state that they are
addressed by upgrading the go directive to 1.25.7 in providers/v1/delinea/go.mod
so reviewers and auditors can see the security rationale for the version bump.

[eso-service-account-app]

[Bot] - ✅ e2e for 4956f923fc95c27b2f17c9e318d8ddc09c1b0b7c passed