It must be mentioned again how speedy KrakenD folks are to responding and how helpful it is. It feels like we're working with a team that works here in Paylocity
Dannie Walker
Senior Software Engineer / Paylocity
CVE-2025-68119
High
· CVSS 7.5
False Positivecmd/go). KrakenD
distributes pre-compiled binaries and does not invoke the Go toolchain at runtime.
End users running KrakenD as a gateway are not affected.Addressed through routine dependency maintenance in CE 2.12.1 and EE 2.12.3.
Component
Go standard library (cmd/go)
Disclosed
Jan 16, 2026
CVSS Score
7.5
cmd/go command misinterprets version control system (VCS) repository metadata
when resolving module paths. A specially constructed repository can cause go get or
related toolchain commands to execute unintended code or write files outside the module
cache, enabling supply-chain attacks against developer environments.Stay up to date with KrakenD releases and important updates