[GH-ISSUE #4741] Vulnerabilities in the latest version

gitea-mirror commented

2026-05-05 14:24:00 -06:00

Owner

Copy link

Originally created by @aleksandr-orca on GitHub (Apr 1, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4741

Bug Description

Hello, first of all thank you so much for this project, it's really convenient to use and impressively effective. What I'm concerned about is the frequency of the latest updates. I imagine how hard sometimes to maintain the open source project, but from security perspective new vulnerabilities are getting discovered each day, and without frequent dependency updates there's a high risk of being affected by this.

Currently, there are 3 vulnerabilities we found caused by dependencies used in this project, sorted by criticality:

golang.org/x/crypto v.30.0 -> v0.31.0; related vulnerability: CVE-2024-45337
github.com/go-jose/go-jose/v4 v4.0.1 -> v4.0.5; related vulnerability: CVE-2025-27144
golang.org/x/net v0.32.0 -> v0.36.0; related vulnerability: CVE-2025-22870

Is it possible to resolve those? maybe some automation could be set up to update dependencies with security issues? For example, Trivy provides a free-to-use project in order to detect these vulns, so in combination of this and some automation most of the security issues could be resolved, because most of the time these are happening because of the outdated dependency versions

frpc Version

v0.61.2

frps Version

v0.61.2

System Architecture

any linux, I believe any arch in general

Configurations

doesn't matter

Logs

No response

Steps to reproduce

No response

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @aleksandr-orca on GitHub (Apr 1, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4741 ### Bug Description Hello, first of all thank you so much for this project, it's really convenient to use and impressively effective. What I'm concerned about is the frequency of the latest updates. I imagine how hard sometimes to maintain the open source project, but from security perspective new vulnerabilities are getting discovered each day, and without frequent dependency updates there's a high risk of being affected by this. Currently, there are 3 vulnerabilities we found caused by dependencies used in this project, sorted by criticality: 1. golang.org/x/crypto v.30.0 -> v0.31.0; related vulnerability: CVE-2024-45337 2. github.com/go-jose/go-jose/v4 v4.0.1 -> v4.0.5; related vulnerability: CVE-2025-27144 3. golang.org/x/net v0.32.0 -> v0.36.0; related vulnerability: CVE-2025-22870 Is it possible to resolve those? maybe some automation could be set up to update dependencies with security issues? For example, Trivy provides a free-to-use project in order to detect these vulns, so in combination of this and some automation most of the security issues could be resolved, because most of the time these are happening because of the outdated dependency versions ### frpc Version v0.61.2 ### frps Version v0.61.2 ### System Architecture any linux, I believe any arch in general ### Configurations doesn't matter ### Logs _No response_ ### Steps to reproduce _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [x] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror

2026-05-05 14:24:00 -06:00

closed this issue
added the
todo
label

gitea-mirror commented

2026-05-05 14:24:03 -06:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Apr 16, 2025):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

@github-actions[bot] commented on GitHub (Apr 16, 2025): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

No Branch/Tag specified