Vulnerability in Temporal API-Go Library Affects gRPC Proxy Implementation
CVE-2025-1243

2LOW

Key Information:

Vendor: Temporal Technologies, Inc.
Status: Api-go Library
Vendor: CVE Published:; 12 February 2025

🔔 Create Temporal Technologies, Inc. Vulnerability Alert

What is CVE-2025-1243?

In the Temporal API-Go library, versions prior to 1.44.1 exhibited a vulnerability where update response information was not sent to the Data Converter when utilizing the proxy package in a gRPC proxy setup. This flaw meant that crucial transformations, such as encryption, were not applied to the update response field during the execution of the UpdateWorkflowExecution APIs, designated for launch on January 13, 2025. While other data fields were successfully transmitted with appropriate transformations, this issue is specific to the UpdateWorkflowExecution process and does not affect the Data Converter server, as data was encrypted in transit. Temporal Cloud services remain unaffected.

Affected Version(s)

api-go library 0 < 1.44.1

References

https://github.com/temporalio/api-go/releases/tag/v1.44.1

release-notes

https://temporal.io/blog/announcing-a-new-operation-workf...

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Feb 11, 2025

CVE-2025-1243 Data

JSON