akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix; CVE-2025-68156 remediation

Browse Source 
- Changed report title to reflect security audit focus
- Updated date and status to indicate approval for commit
- Enhanced executive summary with detailed validation results
- Included comprehensive test coverage results for backend and frontend
- Documented pre-commit hooks validation and known issues
- Added detailed security scan results, confirming absence of CVE-2025-68156
- Verified binary inspection for expr-lang dependency
- Provided risk assessment and recommendations for post-merge actions
- Updated compliance matrix and final assessment sections
- Improved overall report structure and clarity
This commit is contained in:
GitHub Actions
2026-01-11 19:33:25 +00:00
parent db7490d763
commit e06eb4177b
43 changed files with 4230 additions and 2661 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
SECURITY.md
View File

@@ -393,6 +393,29 @@ This pattern ensures:
---
## Recently Resolved Vulnerabilities
Charon maintains transparency about security issues and their resolution. Below is a comprehensive record of recently patched vulnerabilities.
### CVE-2025-68156 (expr-lang/expr ReDoS)
- **Severity**: HIGH (CVSS 7.5)
- **Component**: expr-lang/expr (used by CrowdSec for expression evaluation)
- **Vulnerability**: Regular Expression Denial of Service (ReDoS)
- **Description**: Malicious regular expressions in CrowdSec scenarios or parsers could cause CPU exhaustion and service degradation through exponential backtracking in vulnerable regex patterns.
- **Fixed Version**: expr-lang/expr v1.17.7
- **Resolution Date**: January 11, 2026
- **Remediation**: Upgraded CrowdSec to build from source with patched expr-lang/expr v1.17.7
- **Verification**:
- Binary inspection: `go version -m ./cscli` confirms v1.17.7 in compiled artifacts
- Container scan: Trivy reports 0 HIGH/CRITICAL vulnerabilities in application code
- Runtime testing: CrowdSec scenarios and parsers load successfully with patched library
- **Impact**: No known exploits in Charon deployments; preventive upgrade completed
- **Status**: ✅ **PATCHED** — Verified in all release artifacts
- **Technical Details**: See [CrowdSec Source Build Documentation](docs/plans/crowdsec_source_build.md)
---
## Known Security Considerations
### Third-Party Dependencies