Summary
jfrog-cli is built with Go 1.26.3, which is vulnerable to a denial-of-service in mime.WordDecoder.DecodeHeader (CVE-2026-42504 / GO-2026-5038).
Vulnerability Details
| Field |
Value |
| CVE |
CVE-2026-42504 |
| OSV |
GO-2026-5038 |
| Severity |
High |
| Affected |
github.com/golang/go from go1.26.0 before go1.26.4 |
| Fix |
go1.26.4 (released 2026-06-02) |
Evidence — JFrog Xray scan
We noticed this while running Xray scans on CI agent images that bundle the jfrog-cli binary. A build scan of an image running jf version 2.111.0 (Go 1.26.3) surfaces:
CVE | Severity | Component | Version | Fixed in
CVE-2026-42504 | High | github.com/golang/go | 1.26.3 | 1.26.4
CVE-2026-42507 | Medium | github.com/golang/go | 1.26.3 | 1.26.4
CVE-2026-27145 | Medium | github.com/golang/go | 1.26.3 | —
Go 1.26.4 resolves the first two. We noticed this while running JFrog Xray scans on CI agent images that bundle the jfrog-cli binary — it would be great to get this patched upstream so the fix flows through automatically.
Fix
One-line change in go.mod — a PR is attached:
References
Summary
jfrog-cliis built with Go 1.26.3, which is vulnerable to a denial-of-service inmime.WordDecoder.DecodeHeader(CVE-2026-42504 / GO-2026-5038).Vulnerability Details
github.com/golang/gofromgo1.26.0beforego1.26.4go1.26.4(released 2026-06-02)Evidence — JFrog Xray scan
We noticed this while running Xray scans on CI agent images that bundle the
jfrog-clibinary. A build scan of an image runningjf version 2.111.0(Go 1.26.3) surfaces:Go 1.26.4 resolves the first two. We noticed this while running JFrog Xray scans on CI agent images that bundle the
jfrog-clibinary — it would be great to get this patched upstream so the fix flows through automatically.Fix
One-line change in
go.mod— a PR is attached:References