All published versions of app-builder-bin — including the latest 5.0.0-alpha.13 — are compiled with go1.21.13, which is affected by three high/critical CVEs:
| CVE |
CVSS |
Description |
| CVE-2025-22871 |
9.1 |
net/http: request smuggling via malformed chunked encoding |
| CVE-2025-68121 |
10.0 |
net/http: arbitrary code execution via HTTP/2 CONTINUATION frames |
| CVE-2024-3566 |
9.1 |
cmd/go: argument injection in go tool invocation on Windows |
These are fixed in Go 1.22+.
Impact: app-builder-bin is a build-time tool, so end users aren't directly exposed — but it runs on CI pipelines and developer machines, and CVE-2025-68121 in particular (CVSS 10.0) warrants a rebuild regardless of deployment context.
Verified affected versions: 4.2.0 (go1.21.1), 5.0.0-alpha.10 through 5.0.0-alpha.13 (all go1.21.13).
Request: Please rebuild and publish app-builder-bin compiled with Go ≥1.22.
All published versions of
app-builder-bin— including the latest5.0.0-alpha.13— are compiled withgo1.21.13, which is affected by three high/critical CVEs:gotool invocation on WindowsThese are fixed in Go 1.22+.
Impact:
app-builder-binis a build-time tool, so end users aren't directly exposed — but it runs on CI pipelines and developer machines, and CVE-2025-68121 in particular (CVSS 10.0) warrants a rebuild regardless of deployment context.Verified affected versions: 4.2.0 (go1.21.1), 5.0.0-alpha.10 through 5.0.0-alpha.13 (all go1.21.13).
Request: Please rebuild and publish
app-builder-bincompiled with Go ≥1.22.