News KrakenD CE 2.12.1 and EE 2.12.3 update released

Return to blog's homepage

Blog categories

Product UpdatesSecurity

2 min read

KrakenD CE 2.12.1 and EE 2.12.3 update released

by Jorge Tarrero

This minor release of KrakenD Community Edition and Enterprise Edition is a security fix bringing all patches from Go 1.25.6 and golang.org/x/crypto package.

🚀 Summary of changes for EEv2.12.3 (patch)

Recommended security upgrade addressing several vulnerabilities (by the Go team)

  • Decreased log level when a tiered ratelimit config does not have global limits (from ERROR to INFO)
  • Upgraded Go to 1.25.6 addressing several CVEs with disclosed descriptions:

    • CVE-2025-61728 Super-linear filename indexing causes DoS on malicious ZIPs (false positive)
    • CVE-2025-61726 Memory exhaustion from excessive form key-value pairs
    • CVE-2025-68121 Config.Clone leaks session keys; ignores full cert chain expiration
    • CVE-2025-61731 CgoPkgConfig flag bypass leads to arbitrary code execution (false positive)
    • CVE-2025-68119 VCS toolchain misinterpretation enables code exec/file writes (false positive)

Upgrading to the latest version is always advised.

🚀 Summary of changes for CEv2.12.1 (patch)

Recommended security upgrade addressing several vulnerabilities (by the Go team)

  • Upgraded Go to 1.25.6 addressing several CVEs with disclosed descriptions:

    • CVE-2025-61728 Super-linear filename indexing causes DoS on malicious ZIPs (false positive)
    • CVE-2025-61726 Memory exhaustion from excessive form key-value pairs
    • CVE-2025-68121 Config.Clone leaks session keys; ignores full cert chain expiration
    • CVE-2025-61731 CgoPkgConfig flag bypass leads to arbitrary code execution (false positive)
    • CVE-2025-68119 VCS toolchain misinterpretation enables code exec/file writes (false positive)
    • CVE-2025-61727 An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
    • CVE-2025-61729 Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.

  • Upgraded the golang.org/x/crypto package to address CVE-2025-58181 and CVE-2025-47914 (false-positives)

Upgrading to the latest version is always advised.

Categories: Product UpdatesSecurity

Stay up to date with KrakenD releases and important updates