v1.29.3 vulnerabilities

[thejacekim]

Expected Behavior

No more CVEs found of HIGH or CRITICAL severity.

Actual Behavior

Following CVEs have been found in temporalio/server:1.29.3

Steps to Reproduce the Problem

Pull the latest image temporalio/server:1.29.3 from Dockerhub
Scan the image with any vulnerability scanner

I've used trivy

$ trivy image temporalio/server:1.29.3 
$ trivy --version
Version: 0.69.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-02-10 18:45:00.479326566 +0000 UTC
  NextUpdate: 2026-02-11 18:45:00.479326385 +0000 UTC
  DownloadedAt: 2026-02-10 21:53:53.003757 +0000 UTC

CVE	Severity	Package	Installed Version	Fixed Version
CVE-2025-15467	CRITICAL	libcrypto3	3.5.0-r0	3.5.5-r0
CVE-2025-15467	CRITICAL	libssl3	3.5.0-r0	3.5.5-r0
CVE-2025-69419	HIGH	libcrypto3	3.5.0-r0	3.5.5-r0
CVE-2025-69419	HIGH	libssl3	3.5.0-r0	3.5.5-r0
CVE-2025-22869	HIGH	golang.org/x/crypto	v0.32.0	0.35.0
CVE-2025-47907	HIGH	stdlib (Go)	v1.24.4	1.23.12, 1.24.6
CVE-2025-22868	HIGH	golang.org/x/oauth2	v0.7.0	0.27.0
CVE-2025-58183	HIGH	stdlib (Go)	v1.25.0	1.24.8, 1.25.2

Specifications

• Version: v1.29.3
• Platform: mac/os, but shouldn't quite matter.

Thank you.

[roei-levi-qedma]

@thejacekim
If I may add, the following CVEs are found too:

CVE	Severity	Package	Installed Version	Fixed Version
CVE-2026-26958	LOW	filippo.io/edwards25519	1.1.0	1.1.1
CVE-2026-24051	HIGH	go.opentelemetry.io/otel/sdk	1.34.0	1.40.0

[chaptersix]

All reported CVEs have been addressed in temporalio/server:1.29.4 except CVE-2025-22868 (golang.org/x/oauth2), which comes from the bundled tctl binary. The tctl repo is archived and will not receive updates. tctl has been removed from images starting in 1.30.1.

[chaptersix]

@thejacekim If I may add, the following CVEs are found too:

CVE Severity Package Installed Version Fixed Version
CVE-2026-26958 LOW filippo.io/edwards25519 1.1.0 1.1.1
CVE-2026-24051 HIGH go.opentelemetry.io/otel/sdk 1.34.0 1.40.0

please submit a separate issue for these.