Security: CVE-2025-68121 and CVE-2026-33186

[flaf]

Code of Conduct

• I have read and agree to the Code of Conduct.
• Vote on this issue by adding a 👍 reaction to the original issue description to help the maintainers prioritize.
• Do not leave "+1" or other comments that do not add relevant information or questions.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Packer Version

1.15.0

Packer Plugin Version

2.1.1

Plugin Builder

• vsphere-iso
• vsphere-clone
• vsphere-supervisor

Plugin Post-Processor

• vsphere
• vsphere-template

vSphere Version

8.0.9

Description

The latest packer-plugin-vsphere binary (v2.1.1) contains two Critical CVEs
identified by Trivy:

CVE	Severity	Component	Installed	Fixed in
CVE-2025-68121	Critical	stdlib (Go)	1.23.12	1.24.13, 1.25.7, 1.26.0-rc.3
CVE-2026-33186	Critical	google.golang.org/grpc	v1.65.0	1.79.3

Could you please:

• recompile packer-plugin-vsphere with Go ≥ 1.24.13 or ≥ 1.25.7
• bump google.golang.org/grpc to ≥ 1.79.3

Packer Configuration

Not relevant...

Debug Output

Not relevant...

Panic Output

Not relevant...

Expected Behavior

Not relevant...

Actual Behavior

Not relevant...

Steps to Reproduce

Not relevant...

Environment Details

No response

Screenshots

No response

References

No response

[tenthirtyam]

This is already being tracked.

The version of Go was already bumped in #676 and /gprc will follow for the next release once I return from being out of office.

Ryan Johnson, Broadcom