x/vulndb: potential Go vuln in go.temporal.io/server: GHSA-p2gr-hm8g-q772 #4272
Description
Advisory GHSA-p2gr-hm8g-q772 references a vulnerability in the following Go modules:
| Module |
|---|
| go.temporal.io/server |
Description:
When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.
This issue affects Tempor...
References:
- ADVISORY: GHSA-p2gr-hm8g-q772
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-14986
- FIX: Validate MultiOperation namespace match temporalio/temporal#8839
- WEB: https://github.com/temporalio/temporal/releases/tag/v1.27.4
- WEB: https://github.com/temporalio/temporal/releases/tag/v1.28.2
- WEB: https://github.com/temporalio/temporal/releases/tag/v1.29.2
Cross references:
- go.temporal.io/server appears in 3 other report(s):
- data/reports/GO-2023-1879.yaml (x/vulndb: potential Go vuln in github.com/temporalio/temporal: CVE-2023-3485 #1879)
- data/reports/GO-2024-2689.yaml (x/vulndb: potential Go vuln in github.com/temporalio/temporal: GHSA-wmxc-v39r-p9wf #2689)
- data/reports/GO-2025-3953.yaml (x/vulndb: potential Go vuln in go.temporal.io/server: GHSA-p768-c3pr-6459 #3953)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: go.temporal.io/server
versions:
- introduced: 1.24.0
- fixed: 1.27.4
- introduced: 1.28.0
- fixed: 1.28.2
- introduced: 1.29.0
- fixed: 1.29.2
vulnerable_at: 1.29.1
summary: |-
Temporal has a namespace policy bypass allowing requests to be authorized for
incorrect contexts in go.temporal.io/server
cves:
- CVE-2025-14986
ghsas:
- GHSA-p2gr-hm8g-q772
references:
- advisory: https://github.com/advisories/GHSA-p2gr-hm8g-q772
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-14986
- fix: https://github.com/temporalio/temporal/pull/8839
- web: https://github.com/temporalio/temporal/releases/tag/v1.27.4
- web: https://github.com/temporalio/temporal/releases/tag/v1.28.2
- web: https://github.com/temporalio/temporal/releases/tag/v1.29.2
source:
id: GHSA-p2gr-hm8g-q772
created: 2025-12-31T23:01:16.59595058Z
review_status: UNREVIEWED