CVE-2025-1243 - Temporal api-go Library Data Converter Bypass in UpdateWorkflowExecution API

A vulnerability, identified as CVE-2025-1243, has been discovered in the Temporal api-go library that affects versions prior to 1.44.1. The vulnerability results in the update response field not being sent to the Data Converter when the proxy package within the api-go module is utilized in a gRPC proxy before transmission. Consequently, Data Converter transformations, such as encryption, are not applied to information within the update response field. This vulnerability affects systems that use the UpdateWorkflowExecution APIs, released on January 13, 2025, with a proxy leveraging the api-go library before version 1.44.1.

References and links

- Original Temporal API Release with affected APIs
- Temporal Go SDK (api-go library)
- Vulnerable module on api-go
- CVE Details

Affected Components

The vulnerability lies within the Temporal api-go library's proxy package (client/proxy/client_grpc_proxy.go). Specifically, it impacts the UpdateWorkflowExecution APIs and is only an issue when the affected libary (<1.44.1) with a gRPC proxy is being used.

Code Snippet

The following snippet is an example of a vulnerable code utilizing the UpdateWorkflowExecution API in a gRPC proxy setup:

package main

import (
	"fmt"
	"github.com/temporalio/go-sdk/client/proxy"
	"github.com/temporalio/go-sdk/workflowserviceclient"
)

func main() {
	// Setup gRPC proxy with vulnerable api-go client library
	grpcProxy := proxy.NewGrpcProxy("127...1:7233", proxy.WithProtoOutgoingHostPort("localhost:7233"))

	// Register vulnerable WorkflowExecution API
	client, _ := workflowserviceclient.NewClient(workflowserviceclient.Options{})
	updateWorkflowExecutionRequest := &api.UpdateWorkflowExecutionRequest{}

	// Vulnerable code: UpdateWorkflowExecution API request is sent without Data Converter transformations
	resp, err := client.UpdateWorkflowExecution(updateWorkflowExecutionRequest)
	if err != nil {
		fmt.Println("Error updating workflow execution: ", err)
	} else {
		fmt.Println("Update response: ", resp)
	}
}

Mitigation and Remediation

The vulnerability can be mitigated by updating the Temporal api-go library to version 1.44.1 or higher. Users are advised to update their systems as soon as possible. Other measures include:

1. Assess any exposure to the UpdateWorkflowExecution API when using the api-go library (<1.44.1) with a gRPC proxy.
2. Ensure that the Data Converter package is properly configured, and encryption of data at rest is enabled.

Please note that this issue does not impact the Data Converter server or Temporal Cloud services. Data remains encrypted in transit.

Timeline

Published on: 02/12/2025 01:15:09 UTC