CVE-2025-1243

Name of the Vulnerable Software and Affected Versions Temporal api-go library versions prior to 1.44.1

Description The issue arises when using the UpdateWorkflowExecution APIs with a proxy leveraging the api-go library before version 1.44.1. In this scenario, the update response information is not sent to Data Converter, resulting in the information contained within the update response field not having Data Converter transformations, such as encryption, applied. Other data fields are correctly sent to Data Converter. This issue does not impact the Data Converter server, and data was encrypted in transit. Temporal Cloud services are not impacted.

Recommendations For versions prior to 1.44.1, update to version 1.44.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the UpdateWorkflowExecution APIs with a proxy leveraging the api-go library until the update is applied.