Crossplane v2.3.3 patches a TOCTOU security flaw in OCI package signature verification (GHSA-mf7q-r4rv-jv94) and fixes a namespace injection bug in `crossplane render`. Routine CVE bumps for Go deps included.
securityUpgrade immediately to fix OCI signature TOCTOU (GHSA-mf7q-r4rv-jv94)
The TOCTOU flaw means a compromised or malicious OCI registry could serve unsigned package content after passing signature verification. Any Crossplane deployment that installs packages from OCI registries is exposed. Upgrade to v2.3.3 — this fix lives in crossplane-runtime and is bundled in this release. Review the crossplane-runtime v2.3.3 advisory for full technical details and assess whether any packages installed on affected versions should be reinstalled.
securitygolang.org/x/net and x/sys CVE patches — rebuild or upgrade
The apis module now pulls updated golang.org/x/net and golang.org/x/sys. If you build Crossplane from source or vendor these deps in your own providers/functions, update your dependency pins to pick up the same CVE fixes. Pre-built images in v2.3.3 already include the patched versions.
breakingcrossplane render namespace behavior changed for namespaced XRs
If you use `crossplane render` in CI pipelines or local testing with namespaced XRs, the injected resource refs no longer carry a namespace. This matches real reconciler behavior and fixes breakage with strict-schema functions (e.g., KCL-generated bindings). Re-run your render tests after upgrading to confirm output changes don't mask real issues in your composition logic.
Key changes (4)
- TOCTOU fix in OCI package signature verification via crossplane-runtime v2.3.3 (GHSA-mf7q-r4rv-jv94): a malicious registry could swap unsigned content after signature check passed
- Fixed `crossplane render` incorrectly setting namespace on resource refs for namespaced XRs, which broke strict-schema functions like generated KCL bindings
- Go toolchain bumped to 1.25.11
- golang.org/x/net and golang.org/x/sys updated in the apis module to pick up CVE fixes