CVE-2025-1243

Published Feb 12, 2025 Modified Apr 15, 2026 CWE-311

Description

The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1. Other data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted.

Weakness Type (CWE)

CWE-311 CWE-311

References

Frequently Asked Questions

What is CVE-2025-1243? +
The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1. Other data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted.
How do I check if I'm vulnerable to CVE-2025-1243? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-40680

Lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT …
CVE-2024-7396

Missing encryption of sensitive data in Korenix JetPort 5601v3 allows Eavesdropping.This issue affects JetPort 5601v3: through 1.2.
CVE-2025-47274

ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the …
CVE-2024-38283

Sensitive customer information is stored in the device without encryption.
CVE-2025-36751

Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to …
CVE-2023-6339 10.0

Google Nest WiFi Pro root code-execution & user-data compromise

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-1243 — free, no signup required.

Start Free Scan