CVE-2025-1243

Vulnerability Description

The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1. Other data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted.

Related Weaknesses (CWE)

References

• https://github.com/temporalio/api-go/releases/tag/v1.44.1
• https://temporal.io/blog/announcing-a-new-operation-workflow-update

FAQ

What is CVE-2025-1243?

CVE-2025-1243 is a documented vulnerability. The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to trans...

How severe is CVE-2025-1243?

CVSS scoring is not yet available for CVE-2025-1243. Check NVD for updates.

Is there a patch for CVE-2025-1243?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.