News KrakenD CE 2.11.1 and EE 2.11.2 (bugfixing) released

Return to blog's homepage

Blog categories

Product UpdatesSecurity

2 min read

KrakenD CE 2.11.1 and EE 2.11.2 (bugfixing) released

by Albert Lombarte

This minor release of KrakenD Community Edition and Enterprise Edition is a security fix bringing all patches from Go 1.25.2 addressing several CVEs.

🚀 Summary of changes for EEv2.11.2 (patch)

Security update for TLS, Cookies and x509

  • OpenAPI: Added a new option disable_default_response_definitions to not document 200 and 500 status codes.
  • gRPC fix: skip non set optional fields on backend client
  • Upgraded Go to 1.25.2 fixing several CVEs (see below)

  • CVEs remediated in this release part of the Go upgrade (false-positives not listed):

  • crypto/x509: quadratic complexity when checking name constraints (CVE-2025-58187)
  • crypto/tls: ALPN negotiation errors can contain arbitrary text (CVE-2025-58189)
  • encoding/pem: quadratic complexity when parsing some invalid inputs (CVE-2025-61723)
  • encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (CVE-2025-58185)
  • net/http: lack of limit when parsing cookies can cause memory exhaustion (CVE-2025-58186)
  • crypto/x509: panic when validating certificates with DSA public keys (CVE-2025-58188)
  • net/textproto: excessive CPU consumption in Reader.ReadResponse (CVE-2025-61724)

Upgrading to the latest version is always advised.

🚀 Summary of changes for CEv2.11.1 (patch)

Security update for TLS, Cookies and x509

  • Upgraded Go to 1.25.2 fixing several CVEs (see below)

  • CVEs remediated in this release part of the Go upgrade (false-positives not listed):

  • crypto/x509: quadratic complexity when checking name constraints (CVE-2025-58187)
  • crypto/tls: ALPN negotiation errors can contain arbitrary text (CVE-2025-58189)
  • encoding/pem: quadratic complexity when parsing some invalid inputs (CVE-2025-61723)
  • encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (CVE-2025-58185)
  • net/http: lack of limit when parsing cookies can cause memory exhaustion (CVE-2025-58186)
  • crypto/x509: panic when validating certificates with DSA public keys (CVE-2025-58188)
  • net/textproto: excessive CPU consumption in Reader.ReadResponse (CVE-2025-61724)

Upgrading to the latest version is always advised.

Categories: Product UpdatesSecurity

Stay up to date with KrakenD releases and important updates