CVE-2025-30204 in acr-credential-provider ?

[axelgMS]

Some scanning tools (eg. Prisma) are reporting the following CVE in acr-credential-provider: https://www.cve.org/CVERecord?id=CVE-2025-30204

It seems to affect following binary "/var/lib/kubelet/credential-provider/acr-credential-provider":

CVE-2025-30204 ... github.com/golang-jwt/jwt/v4 ... v4.5.0 ... /var/lib/kubelet/credential-provider/acr-credential-provider ... fixed in 4.5.2

ASK = Can you please upgrade the golang-jwt/jwt to at least v4.5.2 to fix that vulnerability ?

[mainred]

I did not find github.com/golang-jwt/jwt/v4 is used in the code base for example in v1.32.5. How did our customer detect this CVE?

(v1.32.5) grep "github.com/golang-jwt/jwt/v4" * -r
go.mod: github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
go.sum:github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
go.sum:github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
vendor/modules.txt:# github.com/golang-jwt/jwt/v4 v4.5.1
vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md: "github.com/golang-jwt/jwt/v4"
vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md:github.com/golang-jwt/jwt with github.com/golang-jwt/jwt/v4, either manually
vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md:go get github.com/golang-jwt/jwt/v4

[bcho]

cloud-provider-azure/go.mod

Line 91 in 94cee71

github.com/golang-jwt/jwt/v4 v4.5.1 // indirect

it's linked as the an indirect dependency. We should bump the indirected dependency version to patched jwt/v4 version.

[feiskyer]

Most branches have been fixed by auto version bump, but 1.30 has not. Filed #9494 to update 1.30.