Update mongo-driver to v2 to resolve CVE-2024-45337 (crypto v0.26.0 vulnerability)

[khybort]

Summary

The current strfmt package depends on go.mongodb.org/mongo-driver v1.17.6, which references golang.org/x/crypto v0.26.0. This version is affected by CVE-2024-45337 (CVSS 9.1 Critical - SSH authorization bypass vulnerability).

While Go's MVS (Minimum Version Selection) resolves to newer crypto versions when users have direct requirements, many security scanning tools (Vanta, Snyk, Trivy, etc.) flag the v0.26.0 reference in the dependency graph as a vulnerability, causing false positives for downstream users.

Current State

github.com/go-openapi/strfmt@v0.25.0
└── go.mongodb.org/mongo-driver@v1.17.6
    └── golang.org/x/crypto@v0.26.0  ❌ (vulnerable, fix requires v0.31.0+)

Proposed Solution

Update to mongo-driver v2 which uses a patched crypto version:

go.mongodb.org/mongo-driver/v2@v2.4.1
└── golang.org/x/crypto@v0.33.0  ✅ (patched)

Impact

This affects all downstream projects using strfmt for OpenAPI validation. Security scanners flag CVE-2024-45337 even though:

• Go MVS may resolve to a newer crypto version at runtime
• The vulnerable SSH code path may not be reachable
• govulncheck reports no vulnerabilities

However, many organizations require clean security scans for compliance (SOC2, etc.), and this transitive reference causes audit failures.

Vulnerability Details

• CVE: CVE-2024-45337
• Go Advisory: GO-2024-3321
• Severity: Critical (CVSS 9.1)
• Affected: golang.org/x/crypto < v0.31.0
• Fixed: golang.org/x/crypto v0.31.0+
• Type: Authorization bypass via SSH PublicKeyCallback misuse

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-45337
• https://pkg.go.dev/vuln/GO-2024-3321
• x/crypto/ssh: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass golang/go#70779

Environment

• strfmt version: v0.25.0
• mongo-driver version: v1.17.6
• Go version: 1.24.x

Thank you for maintaining this package!

[fredbi]

My analysis/notes to myself:

• running trivy on this repo: no alert
• the dependabot at go mongo driver only follows their v2. It seems they forgot to backport the change to v1
• it is difficult to introduce driver v2 change without breaking anything
• adding a replace directive in go.mod won’t solve anythimg
• all the while working on how to split/internalize our lib so it is no longer dependent on this driver by default
• not able to post an issue to go-mongodb driver repo. Seems they’ve closed GitHub issues

[fredbi]

@khybort I'd like to challenge the following assertion:

many security scanning tools (Vanta, Snyk, Trivy, etc.) flag the v0.26.0 reference in the dependency graph as a vulnerability

This repo is scanned by govulncheck, trivy and codeQL: none of these tools are reporting the vulnerability you're referring to.
To put it simply: the dependency propagation is not blindly copying all dependencies from upstream repos.
It so happens that none of our (very limited) calls to the mongodb-driver incurs a dependency to golang.org/x/crypto.

This lib is not in our indirect dependencies and is not part of our go.sum. govulncheck or trivy don't find anything on that library (when running on go1.25.x). Further, I am using snyk on my forks that track the main repos. And snyk doesn't detect anything.

I am curious which scanners are reporting this issue specifically for go-openapi/strfmt.

Could you please elaborate by sharing such a report?

My hunch is that programs using the mongo-db driver may be vulnerable to this CVE because they actually use it. I am not totally convinced that the problem comes from our library which uses only the surface of the mongo driver. That being said, we have an open issue with this dependency and we are going to remove it somehow. This is just a challenge to do that without breaking changes.

[khybort]

The vulnerability was flagged by Vanta and AWS Inspector when scanning our production Docker images.

These scanners analyze the final Docker image, and when go.mod/go.sum files are present in the image filesystem, they flag CVEs in the transitive dependency tree - including go.mongodb.org/mongo-driver.

Our workaround: We switched to a multi-stage Docker build where:

• Builder stage: contains go.mod, go.sum, downloads dependencies, compiles the binary
• Final stage: only contains the compiled binary (no go.mod/go.sum)

This resolved the scanner alerts since the final image no longer contains the dependency manifest files.

However, this is a workaround rather than a fix. Organizations using container image scanners like Vanta, AWS Inspector, or similar tools will still see these CVEs if their Dockerfiles copy go.mod into the final image.

The tools you mentioned (govulncheck, trivy fs) analyze code reachability, which is why they don't flag it. But image-level scanners flag all transitive dependencies regardless of reachability.

[fredbi]

OK. Thanks for this additional piece of information.

TL;DR: won't fix

Here is why:

• your reported vulnerability is obviously a false positive. You most likely have other ways to deal with it than imposing breaking changes to upstream libraries like ours.
• there is no evidence from your report that your tool catches the vulnerable package through the strfmt lib (e.g. go mod why, go mod graph)
• if the root cause of your problem is fixed by the upstream dependency (mongodb-driver), it will propagate in strfmt within a week at most
• mongodb dependency is a pain to us in general and we have an ongoing work to remove it by default. Support to v2 driver upgrade is also considered (see Consider removing mongo-db-driver dependency #91).

[khybort]

Here's the dependency chain you requested:

$ go mod graph | grep -E "strfmt.*mongo"
github.com/go-openapi/strfmt@v0.25.0 go.mongodb.org/mongo-driver@v1.17.6

The chain is clear: strfmt → mongo-driver → x/crypto (vulnerable)

I understand this is a false positive from a code reachability perspective - the vulnerable code path isn't actually executed. However, container image scanners (Vanta, AWS Inspector, etc.) don't perform reachability analysis. They flag any CVE present in the dependency tree.

Upgrading to mongo-driver v2 would resolve this since v2 uses the patched x/crypto. I see this is being discussed in #91 - I'd be happy to contribute to that effort if help is needed.

[fredbi]

@khybort

I've cut a new release with the upgrade.
You'll notice that the newly released library no longer depends on the mongodb driver. Still it works out of the box against a mongodb !
The trick is that we use now an internalized shim of the driver v2 for our very simple codec needs.
If you want the library to use the actual v2 driver, it is not wrapped as an independent sub-module, specifically for mongodb users that want this. All other users who don't really care about mongodb won't get this extra dependency moving forward.