📋 Recommended Actions

⚠️ Action Required
Immediate patching is highly recommended to address several security vulnerabilities in core dependencies and ensure the continued stability of your cert-manager deployments.

This cert-manager v1.17.2 release delivers vital security updates by patching multiple Go dependencies that address various CVEs. Beyond these critical fixes, we’ve also refreshed our Go toolchain and base images, ensuring a more robust and secure foundation for your certificate management needs.

🔒 Comprehensive Security Updates for Core Dependencies

🔒 Security Advisory
CVE ID: Multiple CVEs

Maintaining the security of your certificate management infrastructure is paramount, and this release reinforces cert-manager’s foundational integrity with a series of crucial dependency updates. We’ve patched several Go libraries that address known Common Vulnerabilities and Exposures (CVEs), safeguarding against potential security risks and ensuring your deployments remain robust and trustworthy.

We’ve meticulously updated key Go libraries across the cert-manager components, including go-jose/go-jose/v4, golang-jwt/jwt/v5, golang.org/x/crypto, golang.org/x/oauth2, and golang.org/x/net. These updates directly address reported vulnerabilities, ensuring that cert-manager leverages the latest security fixes from these widely used dependencies.

Specifically, the go-jose library, crucial for JWT (JSON Web Token) operations, has been bumped from v4.0.2 to v4.0.5 to mitigate CVE-2025-27144. Similarly, golang-jwt/jwt/v5 was updated from v5.2.1 to v5.2.2 to patch CVE-2025-30204.

Critical golang.org/x packages also received updates: golang.org/x/crypto was bumped from v0.31.0 to v0.36.0 (addressing CVE-2025-22869), golang.org/x/oauth2 from v0.24.0 to v0.28.0 (addressing CVE-2025-22868), and golang.org/x/net from v0.33.0 to v0.38.0 (addressing CVE-2025-22870).

These bumps ensure that cert-manager components inherit the latest security patches, protecting against vulnerabilities in cryptographic operations, authentication, and network communication.

Source:

  • LICENSES (lines 53-66,146-155)

  • cmd/acmesolver/go.mod (lines 40-42)

  • cmd/cainjector/go.mod (lines 65-72)

  • cmd/controller/go.mod (lines 68-75)

  • cmd/startupapicheck/go.mod (lines 75-82)

  • cmd/webhook/go.mod (lines 76-83)

  • go.mod (lines 36-40,92-98)

✨ Enhanced DNS Resolver Stability for E2E Tests

To improve the reliability and predictability of our end-to-end (E2E) tests, especially those involving ACME DNS01 challenges, cert-manager now utilizes a mirrored version of the bind9 image. This strategic shift from public Docker Hub images to a controlled, trusted mirror hosted within cert-manager’s infrastructure provides greater stability against upstream changes and ensures that our testing environment is robust and consistent.

The change involves updating the IMAGE_bind_amd64 and IMAGE_bind_arm64 variables in make/e2e-setup.mk. Instead of pulling from docker.io/ubuntu/bind9, we now reference a dedicated mirror, preventing potential disruptions from external registry issues or upstream image modifications:

-IMAGE_bind_amd64 := docker.io/ubuntu/bind9:9.18-22.04_beta@sha256:69b27585043985948fb7be88a49c44364f1cb8cfbc2626b2cfedfa2e68db50ee
+IMAGE_bind_amd64 := europe-west1-docker.pkg.dev/cert-manager-tests-trusted/cert-manager-infra-images/bind9:9.18-22.04_beta@sha256:8c45ba363b2921950161451cf3ff58dff1816fa46b16fb8fa601d5500cdc2ffc
-IMAGE_bind_arm64 := docker.io/ubuntu/bind9:9.18-22.04_beta@sha256:912dbb6c360e3ffecbf9b0248a856d670121db5a655173b2781c0c650a979330
+IMAGE_bind_arm64 := europe-west1-docker.pkg.dev/cert-manager-tests-trusted/cert-manager-infra-images/bind9:9.18-22.04_beta@sha256:7fcfebdfacf52fa0dee2b1ae37ebe235fe169cbc404974c396937599ca69da6f

Additionally, a related fix was applied to the DNS test suite’s lookupNameserversTestsOK in pkg/issuer/acme/dns/util/wait_test.go to account for a change in the upstream nameservers for ‘physics.georgetown.edu.’, further demonstrating the commitment to resilient DNS resolution logic within testing.

Source:

  • make/e2e-setup.mk (lines 30-45)

  • pkg/issuer/acme/dns/util/wait_test.go (lines 35-37)

Minor Updates & Housekeeping

This release also updates the underlying Go toolchain from v1.23.0 to v1.23.8, refreshes various base images to their latest Debian 12 counterparts (gcr.io/distroless/static-debian12 and base-debian12), and includes routine go-tidy and license generation updates for general maintenance and consistency.