Go 1.23.2 has critical CVE-2025-22871

[wrenix]

Current your container mirror does not allow to pull the current image because of current the critical CVE-2025-22871 (a CWE-1395) in golang 1.23.2 which is used in hugo

What version of Hugo are you using (hugo version)?

$ hugo version 0.147.7

[bep]

golang 1.23.2 which is used in hugo

That's not true:

 ./hugo env
hugo v0.147.7-189453612e4bedc4f27495a7b1145321c8d89807 darwin/arm64 BuildDate=2025-05-31T12:41:12Z VendorInfo=gohugoio
GOOS="darwin"
GOARCH="arm64"
GOVERSION="go1.24.0"
github.com/sass/dart-sass/protocol="3.1.0"
github.com/sass/dart-sass/compiler="1.81.0"
github.com/sass/dart-sass/implementation="1.81.0"

Can you be more specific?

[wrenix]

please open this issue again, it even is a problem in 1.24.0.
This CVE is in 1.24.2 solved, see: https://pkg.go.dev/vuln/GO-2025-3563