KrakenD CE 2.13.5 and EE 2.13.3 update released
by Jorge Tarrero
This patch release of KrakenD Community Edition and Enterprise Edition upgrades the Golang version to 1.25.10 to address several disclosed CVEs. It also addresses a set of vulnerabilities in both OTPL exporters and Prometheus-dependendant components.
Additionally, we’ve introduced an important bump to the auth/ntlm component (Enterprise-only) addressing addressing CVE-2026-32952 and many other improvements.
🚀 Summary of changes for EEv2.13.3 (patch)
Recommended security upgrade addressing several vulnerabilities
-
Upgraded
auth/ntlmcomponent addressing CVE-2026-32952. - Upgraded OTLP HTTP exporters addressing CVE-2026-39882.
- Upgraded Prometheus dependency addressing CVE-2026-42154, CVE-2026-42151 and CVE-2026-40179.
- Upgraded Go to 1.25.10, addressing several CVEs with disclosed descriptions:
- CVE-2026-42501
cmd/go: malicious module proxy can bypass checksum database (false positive) - CVE-2026-39819
cmd/go: “go bug” follows symlinks in predictable temporary filenames (false positive) - CVE-2026-39817
cmd/go: “go tool pack” does not sanitize output paths (false positive) - CVE-2026-39825
net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters - CVE-2026-39836
net: panic in Dial and LookupPort when handling NUL byte on Windows (false positive) - CVE-2026-33811
net: crash when handling long CNAME response - CVE-2026-42499
net/mail: quadratic string concatenation in consumePhrase (false positive) - CVE-2026-39820
net/mail: quadratic string concatentation in consumeComment (false positive) - CVE-2026-33814
net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE - CVE-2026-39826
html/template: escaper bypass leads to XSS (false positive) - CVE-2026-39823
html/template: bypass of meta content URL escaping causes XSS (false positive)
- CVE-2026-42501
Upgrading to the latest version is always advised.
🚀 Summary of changes for CEv2.13.5 (patch)
Recommended security upgrade addressing several vulnerabilities
- Upgraded OTLP HTTP exporters addressing CVE-2026-39882.
- Upgraded Prometheus dependency addressing CVE-2026-42154, CVE-2026-42151 and CVE-2026-40179.
- Upgraded Go to 1.25.10, addressing several CVEs with disclosed descriptions:
- CVE-2026-42501
cmd/go: malicious module proxy can bypass checksum database (false positive) - CVE-2026-39819
cmd/go: “go bug” follows symlinks in predictable temporary filenames (false positive) - CVE-2026-39817
cmd/go: “go tool pack” does not sanitize output paths (false positive) - CVE-2026-39825
net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters - CVE-2026-39836
net: panic in Dial and LookupPort when handling NUL byte on Windows (false positive) - CVE-2026-33811
net: crash when handling long CNAME response - CVE-2026-42499
net/mail: quadratic string concatenation in consumePhrase (false positive) - CVE-2026-39820
net/mail: quadratic string concatentation in consumeComment (false positive) - CVE-2026-33814
net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE - CVE-2026-39826
html/template: escaper bypass leads to XSS (false positive) - CVE-2026-39823
html/template: bypass of meta content URL escaping causes XSS (false positive)
- CVE-2026-42501
Upgrading to the latest version is always advised.
Categories:
Product UpdatesSecurity