Cumulative Go Runtime Vulnerabilities in OpenFeature flagd

The OpenFeature flagd evaluation engine acts as a critical component in modern application architecture, serving dynamic configuration and feature flags to services. Because flagd is written in Go, it relies heavily on the Go Standard Library for core functionality, including networking, cryptography, and database interactions. This advisory addresses a collection of vulnerabilities identified in the Go runtime that affect flagd versions prior to 0.13.1.

The aggregated vulnerabilities span multiple subsystems. The most severe, CVE-2025-47907, introduces a race condition in the database/sql package. This flaw undermines the integrity of data retrieved from SQL databases under specific concurrency conditions. Additionally, parsing logic in net/mail (CVE-2025-61725), encoding/pem (CVE-2025-61723), and crypto/x509 (CVE-2025-61729) contain algorithmic complexity issues that allow remote attackers to exhaust CPU resources via crafted inputs.

While flagd code itself does not contain these bugs, the binary distribution bundles the vulnerable Go runtime. Consequently, any flagd instance processing untrusted input or connecting to SQL data sources is potentially exposed to these risks until rebuilt with a patched Go version.

CVE-2025-47907 represents a significant integrity failure within Go's database/sql package. The vulnerability manifests during the scanning of query results when a context cancellation occurs concurrently. In Go, rows.Scan() is used to copy data from the current row into destination variables. The internal driver implementation manages a buffer for these results.

The flaw exists in the synchronization logic between the query cancellation signal (triggered by a context.Context timeout or cancellation) and the active Scan operation. If a cancellation occurs at a precise moment during the scan loop, the database/sql driver may fail to invalidate the buffer correctly. This can lead to a scenario where rows.Next() returns true (indicating a valid row), but rows.Scan() populates the destination variables with data from a different query or corrupted memory residuum.

For flagd, which supports SQL-based sync providers (e.g., PostgreSQL or MySQL) to fetch feature flag configurations, this is critical. If flagd experiences high load or network latency that triggers timeouts, the race condition could cause the engine to ingest incorrect flag definitions. This could result in features being enabled for the wrong users or internal logic gates being flipped unintentionally.

Beyond data integrity, several vulnerabilities in this cluster introduce Denial of Service vectors through algorithmic complexity. These flaws exploit non-linear performance characteristics in standard library parsers.

CVE-2025-61725 (net/mail): The ParseAddress function exhibits inefficient complexity when processing email addresses containing large domain literals or specific nested comments. If flagd is configured to process metadata containing email-like structures (e.g., in evaluation contexts or targeting rules), an attacker could supply a crafted string that consumes excessive CPU cycles, effectively stalling the evaluation engine.

CVE-2025-61723 (encoding/pem): The PEM decoder allows quadratic time complexity when parsing invalid PEM blocks. If flagd accepts TLS certificates or keys from external sources, or if it parses PEM-formatted configuration data, a malicious payload can trigger a computationally expensive loop.

CVE-2025-61729 (crypto/x509): This vulnerability affects the HostnameError.Error() method. It lacks limits on the concatenation of hostnames when generating error messages. An attacker presenting a TLS certificate with thousands of Subject Alternative Names (SANs) during a handshake could force the server to construct a massive error string, leading to memory exhaustion and a crash.

Exploitation of these vulnerabilities relies on the specific configuration of flagd. Two primary attack vectors exist based on the exposed surface area.

Scenario 1: Sync Provider Poisoning (Integrity) An attacker controls a downstream service or network conditions to induce latency in SQL queries issued by flagd. By forcing context timeouts while flagd is syncing with a SQL database, the attacker attempts to trigger the CVE-2025-47907 race condition. Successful exploitation results in flagd loading a corrupted state. For example, a flag configured as false in the database might be interpreted as true due to data contamination from a concurrent query buffer.

Scenario 2: Evaluation Denial of Service (Availability) If flagd is exposed publicly (e.g., as a sidecar in a multi-tenant environment), an attacker sends evaluation requests containing malicious payloads in the evaluation context. Specifically, inserting a crafted email address into a field parsed by net/mail triggers the CPU spike. Alternatively, during the TLS handshake, if flagd acts as a client connecting to a malicious sync provider, the provider can present a certificate designed to trigger CVE-2025-61729, crashing the flagd process.

The impact of these vulnerabilities ranges from service degradation to logic failures in application behavior.

• Availability (High): The multiple DoS vectors (net/mail, encoding/pem, crypto/x509, archive/zip) pose a high risk of service disruption. flagd is often a critical path component; if it becomes unresponsive, dependent services may default to fallback values or fail open/closed, disrupting the user experience.
• Integrity (High): The SQL race condition (CVE-2025-47907) undermines the reliability of the feature flag system. Feature management relies on eventual consistency; however, this bug introduces incorrect consistency. The corruption of flag rules can lead to unauthorized feature access or operational incidents.
• Confidentiality (Low): While Request Smuggling (CVE-2025-58188) is theoretically possible via net/http, it requires specific proxy architectures to be exploitable for data exfiltration. In most flagd deployments (sidecar or Kubernetes operator), the risk of data leakage is minimal compared to the availability and integrity risks.