Skip to content

Update ghcr.io/dexidp/dex Docker tag to v2.45.1 #2799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gardener-ci-robot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update ghcr.io/dexidp/dex Docker tag to v2.45.1 #2799

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/identity/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ replicaCount: 1

image:
repository: ghcr.io/dexidp/dex
tag: v2.44.0-distroless
tag: v2.45.1-distroless
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check Dex versions available and CVE information

echo "=== Checking GitHub releases for v2.45.x ==="
# Using GitHub API to fetch releases containing v2.45
curl -s https://api.github.com/repos/dexidp/dex/releases | jq -r '.[].tag_name' 2>/dev/null | grep -E "v2\.45" | sort -V

echo ""
echo "=== Checking git tags for v2.45.x ==="
curl -s https://api.github.com/repos/dexidp/dex/git/refs/tags | jq -r '.[].ref' 2>/dev/null | grep -E "v2\.45" | sort -V

Repository: gardener/dashboard

Length of output: 197

🌐 Web query:

Dex v2.45.1 release information CVE gomplate

💡 Result:

As of March 3, 2026, the dexidp/dex project does not have a v2.45.1 release tag; the latest in that series is v2.45.0 (Feb 23, 2026). [1]

For the gomplate/CVE part, the v2.45.0 release notes say: [2]

  • gomplate in the Dex container image was bumped to v5.0.0 (breaking changes).
  • The release explicitly calls out two known CVEs in the bundled gomplate binary: CVE-2025-68121 and CVE-2026-25934.
  • gomplate is described as optional and used only for preprocessing configuration files; Dex maintainers plan to update it once upstream fixes are available.

Sources:
[1] Dex tags list (shows latest tag v2.45.0; no v2.45.1) (github.com)
[2] Dex v2.45.0 GitHub release notes (Know Before Upgrade section) (github.com)

Citations:

🌐 Web query:

CVE-2025-68121 CVE-2026-25934 gomplate dex

💡 Result:

  • How this relates to Dex/gomplate: Dex’s v2.45.0 release notes state that the container image includes a gomplate binary with two known CVEs: CVE-2025-68121 and CVE-2026-25934. Dex also notes gomplate is optional and used only to preprocess configuration files, and the image will be updated once gomplate is fixed upstream. [1]

  • CVE-2025-68121 (Go stdlib crypto/tls): A Go standard library issue where, during TLS session resumption, mutating tls.Config trust fields (ClientCAs/RootCAs) between the original and resumed handshake can allow the resumed handshake to succeed when it should fail. Fixed in specific Go patch releases (see Go’s advisory for the exact version ranges). [2][3]

  • CVE-2026-25934 (go-git): A vulnerability in github.com/go-git/go-git where integrity check values for Git .pack and .idx files were not properly verified, potentially causing consumption of corrupted data and errors (e.g., “object not found”). Fixed in go-git v5.16.5; NVD lists CVSS 4.3 (Medium) from GitHub. [4][5]

Practical impact / what to do (Dex context):

  • If you don’t use gomplate features in Dex, avoid enabling gomplate-based preprocessing (Dex calls it optional) to eliminate that exposure path. [1]
  • If you do need gomplate, track for an updated gomplate (or Dex image) that incorporates Go’s fix for CVE-2025-68121 and updates go-git to v5.16.5+ (fix for CVE-2026-25934). [1][2][5]

Sources

  1. Dex v2.45.0 release notes (Know Before Upgrade) — gomplate CVEs called out: CVE-2025-68121, CVE-2026-25934. [1]
  2. Go vulnerability report GO-2026-4337 for CVE-2025-68121 (crypto/tls) and fixed Go version ranges. [2]
  3. NVD entry for CVE-2025-68121. [3]
  4. NVD entry for CVE-2026-25934 (description, fix in 5.16.5, CVSS from GitHub). [4]
  5. GitHub Security Advisory GHSA-37cx-329c-33x3 (CVE-2026-25934) — affected <=5.16.4, patched 5.16.5. [5]

Do not merge: image tag v2.45.1-distroless does not exist.

The official Dex repository (dexidp/dex) does not have a v2.45.1 release; the latest available version is v2.45.0 (Feb 23, 2026). The image tag v2.45.1-distroless referenced in this PR does not exist.

The v2.45.0 release includes two known CVEs in the bundled gomplate binary (CVE-2025-68121 and CVE-2026-25934). Since gomplate is optional and used only for preprocessing configuration files, the exposure can be mitigated by not using gomplate-based preprocessing. Dex maintainers plan to update the image once upstream fixes are available.

Additionally, gomplate has been bumped to v5.0.0, which includes breaking changes. If gomplate preprocessing is used, review the breaking changes carefully.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@charts/identity/values.yaml` at line 8, The image tag under the YAML key
`tag` currently uses the non-existent value `v2.45.1-distroless`; change that to
an existing release (e.g., `v2.45.0` or `v2.45.0-distroless`) in the values.yaml
`tag` entry and, if your deployment uses gomplate preprocessing, disable or
avoid gomplate-based preprocessing until upstream fixes are released (or
explicitly document the CVE risk) so you don't rely on the vulnerable gomplate
in the Dex image.

pullPolicy: IfNotPresent

containerPort: 5556
Expand Down
Loading