📋 Recommended Actions

⚠️ Action Required
Immediate patching is highly recommended to address critical security vulnerabilities. Operations engineers must also review their Helm chart configurations for nodeSelector behavior changes to avoid deployment disruptions.

📝 Summary

cert-manager v1.19.2 is here, bringing crucial security updates and significant internal modernization. This release patches several identified vulnerabilities, including CVE-2025-61727, CVE-2025-61729, CVE-2025-47914, and CVE-2025-58181 through updates to the Go runtime and core golang.org/x dependencies. This enhances overall security. A key change for Helm users is how nodeSelector values merge; component-specific selectors now merge with global ones, overriding specific keys, which requires a review of existing deployments. This release also removes the outdated autocert package, signaling a move towards modern, secure ACME challenge handling by deprecating insecure TLS-SNI-01/TLS-SNI-02 challenges and improving TLS-ALPN-01 for IP addresses. Upgrade promptly to secure your clusters and review Helm configurations.

🔒 Critical Security Updates and Dependency Hardening

🔒 Security Advisory
CVE ID: CVE-2025-61727, CVE-2025-61729, CVE-2025-47914, CVE-2025-58181
CVSS Score: 7.5 (High)

This release delivers crucial security patches across core dependencies, significantly enhancing cert-manager’s resilience. Keeping components updated is paramount for maintaining a robust and secure Kubernetes environment, and these updates specifically target vulnerabilities within the Go runtime and critical Go standard library extensions. These fixes address a range of potential exposures, reinforcing the overall security posture of your certificate management infrastructure.

cert-manager v1.19.2 updates the underlying Go runtime from v1.25.3 to v1.25.5. This Go version bump addresses CVE-2025-61727 and CVE-2025-61729. Additionally, several golang.org/x/* dependencies have been upgraded to newer versions, incorporating fixes for issues such as CVE-2025-47914 and CVE-2025-58181. These dependency updates cover golang.org/x/crypto, golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, golang.org/x/text, golang.org/x/mod, and golang.org/x/tools across all cert-manager components. These changes are vital for maintaining a secure and reliable system.

--- a/make/_shared/tools/00_mod.mk
+++ b/make/_shared/tools/00_mod.mk
@@ -217,7 +217,7 @@ tools += $(ADDITIONAL_TOOLS)
 # https://go.dev/dl/
 # renovate: datasource=golang-version packageName=go
-VENDORED_GO_VERSION := 1.25.3
+VENDORED_GO_VERSION := 1.25.5
 
 # Print the go version which can be used in GH actions
 .PHONY: print-go-version

Source:

  • cmd/acmesolver/go.mod (41-43)
  • cmd/cainjector/go.mod (63-68)
  • cmd/controller/go.mod (14-14)
  • cmd/startupapicheck/go.mod (70-75)
  • cmd/webhook/go.mod (73-78)
  • go.mod (34-35)
  • make/_shared/tools/00_mod.mk (217-217)
  • make/base_images.mk (1-10)

⚠️ Helm Chart: Enhanced Node Selector Merging

For users managing cert-manager deployments with Helm, this release introduces a significant improvement in how nodeSelector configurations are handled. Previously, a component-specific nodeSelector would completely override any global settings. Now, to provide more flexibility and reduce boilerplate, component-specific nodeSelector values will intelligently merge with the global.nodeSelector. This change allows you to define common node selection criteria globally while still enabling precise, component-level overrides only for specific keys, streamlining your deployment configurations.

The Helm chart now employs a merge strategy for nodeSelector fields. If global.nodeSelector is defined, it will serve as the base, and any nodeSelector defined for a specific component (like cainjector, controller, webhook, or startupapicheck) will be merged on top. In case of conflicting keys, the component-specific value will take precedence. This is a breaking change if your existing deployments rely on the complete override behavior. Ensure your component-specific nodeSelector configurations are adjusted accordingly.

# Previous behavior (prior to v1.19.2):
# If .Values.cainjector.nodeSelector existed, it would completely replace .Values.global.nodeSelector

# New behavior (v1.19.2 and later):
# The global nodeSelector is used as a base.
# Component-specific nodeSelector values are merged on top, with component-specific keys taking precedence.

# Example of new merge logic in templates:
{{- $nodeSelector := .Values.global.nodeSelector | default dict }}
{{- $nodeSelector = merge $nodeSelector (.Values.cainjector.nodeSelector | default dict) }}
{{- with $nodeSelector }}
nodeSelector:
  {{- range $key, $value := . }}
  {{ $key }}: {{ $value | quote }}
  {{- end }}
{{- end }}

Action Required: Review your Helm values for any nodeSelector configurations. If you had component-specific node selectors intended to completely replace global ones, you might need to adjust them to ensure the desired behavior.

Source:

  • deploy/charts/cert-manager/README.template.md (103-103)
  • deploy/charts/cert-manager/templates/cainjector-deployment.yaml (139-141)
  • deploy/charts/cert-manager/templates/deployment.yaml (212-214)
  • deploy/charts/cert-manager/templates/startupapicheck-job.yaml (79-81)
  • deploy/charts/cert-manager/templates/webhook-deployment.yaml (183-185)
  • deploy/charts/cert-manager/values.schema.json (775-777)
  • deploy/charts/cert-manager/values.yaml (18-18)

⚡ ACME Protocol Modernization and autocert Removal

This release significantly modernizes cert-manager’s ACME client, improving security and alignment with current ACME standards. We’re deprecating less secure and unused challenge types while enhancing the robustness of the TLS-ALPN-01 challenge. This evolution ensures that cert-manager remains at the forefront of secure certificate issuance, providing a more reliable and standards-compliant experience for users.

The autocert package, previously forked and used internally, has been entirely removed from third_party/forked/acme. This removal streamlines the codebase and eliminates reliance on an external auto-certificate management solution that was not fully utilized in cert-manager’s primary functionality. Concurrently, the ACME client has been updated to deprecate and error out on TLS-SNI-01 and TLS-SNI-02 challenge types, which are no longer recommended due to security concerns.

The TLS-ALPN-01 challenge has been enhanced to correctly handle IP address identifiers. When an IP address is used as an identifier, the challenge now constructs the TLS ClientHello ServerName using its reverse DNS form, as specified in RFC 8738, Section 6. This ensures proper validation for IP-based certificates.

Furthermore, error reporting for ACME orders has been improved. OrderError now includes the Problem field, providing richer details from the ACME server when an order becomes invalid. This will aid in debugging and understanding validation failures more effectively.

// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec.
// Always returns an error.
func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (tls.Certificate, string, error) {
	return tls.Certificate{}, "", errPreRFC
}

// TLSALPN01ChallengeCert creates a certificate for TLS-ALPN-01 challenge response.
// ...
// Validation requests for IP address identifiers will use the reverse DNS form in the server name
// in the TLS ClientHello since the SNI extension is not supported for IP addresses.
// See RFC 8738 Section 6 for more information.
func (c *Client) TLSALPN01ChallengeCert(token, identifier string, opt ...CertOption) (cert tls.Certificate, err error) {
    // ... logic for handling IP addresses ...
}

Source:

Minor Updates & Housekeeping

This release also includes general housekeeping, such as updates to distroless base image digests across various architectures, ensuring that cert-manager components are built on the latest secure and minimal images. Additionally, the CI test suite has been expanded to include third_party module tests, enhancing code quality and stability.