Skip to content

txn2/kubefwd

v1.25.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5mo Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

api-rest developer-tools devops devops-tools devtools kubernetes
+8 more
kubefwd kubernetes-clusters kubernetes-namespace mcp-server networking port-forward port-forwarding proxy

Affected surfaces

deps

Summary

AI summary

Fixed CodeQL security alert by adding bounds validation for IP octet parsing, preventing potential overflow issues.

Full changelog

This release focuses on security improvements, OpenSSF Scorecard compliance, and MCP bug fixes.

Highlights

Security Fix: IP Parsing Bounds Validation

Fixed CodeQL security alert for incorrect integer conversion in IP parsing. The ipFromString() function now validates that each octet is within 0-255 bounds before casting to byte, preventing potential overflow issues.

MCP Bug Fixes

  • Fixed namespace state corruption - remove_namespace no longer corrupts state for subsequent add_service calls
  • Fixed service discovery reporting - add_namespace now correctly reports discovered service count via direct K8s API query
  • Restored parameter hints - All MCP tool descriptions now include required parameter hints (e.g., "Requires key (e.g., 'servicename.namespace.context')")

OpenSSF Scorecard Improvements

  • Pinned all workflow dependencies by SHA hash
  • Restricted token permissions to job-level scope
  • Expected Scorecard improvement: Pinned-Dependencies 8→10/10, Token-Permissions 0→10/10

MCPB Bundle Signing

MCPB bundles are now signed with Cosign and included in SLSA provenance attestation for enhanced supply chain security.

What's New

Security

  • Fixed CodeQL alert: bounds validation for IP octet parsing (#339)
  • Added fuzz tests for IP parsing to catch edge cases (#336)
  • Fixed panic in ipFromString for malformed input (#336)

Bug Fixes

  • Fixed remove_namespace corrupting state for subsequent add_service calls (#338)
  • Fixed add_namespace reporting "Discovered 0 services" (#338)
  • Restored MCP tool parameter hints that were accidentally removed (#338)
  • Added missing switch cases for StatusPending and StatusStopping (#338)
  • Fixed nil pointer panic in fwdsvcregistry.GetAll() (#338)

Build/CI

  • Improved OpenSSF Scorecard compliance (#337)
  • Pinned workflow dependencies by SHA hash
  • Restricted token permissions to job-level
  • Sign MCPB bundles with Cosign (#335)
  • Include MCPB bundles in SLSA provenance attestation
  • Fix MCPB build script for goreleaser arm64 directory naming (#334)
  • Pin mkdocs-material version in docs workflow
  • Add fuzz testing to CI workflow

Testing

  • Added fuzz tests for IP parsing functions
  • Added 11 unit tests for IP octet bounds validation
  • Added tests covering values >255, negative values, edge cases

Dependencies

  • Bumped github.com/quic-go/quic-go from 0.54.0 to 0.57.0

Installation

Homebrew (macOS/Linux)

brew install txn2/tap/kubefwd

Claude Desktop (MCPB)

Download the appropriate .mcpb file for your platform and double-click to install.

Binary Download

Download the appropriate archive for your platform from the release assets.

Docker

docker pull txn2/kubefwd:v1.25.2

Package Managers

  • APK: kubefwd_amd64.apk, kubefwd_arm64.apk
  • DEB: kubefwd_amd64.deb, kubefwd_arm64.deb
  • RPM: kubefwd_amd64.rpm, kubefwd_arm64.rpm

Checksums & Verification

All release artifacts include:

  • SHA256 checksums in kubefwd_checksums.txt
  • Sigstore signature in kubefwd_checksums.txt.sigstore.json
  • SBOM (Software Bill of Materials) for each archive
  • SLSA Level 3 provenance attestation

Verify signatures with:

cosign verify-blob \
  --bundle kubefwd_checksums.txt.sigstore.json \
  --certificate-identity-regexp="https://github.com/txn2/kubefwd/.github/workflows/release.yml@refs/tags/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  kubefwd_checksums.txt

Breaking Changes

None.

Upgrade Notes

This is a drop-in replacement for v1.25.1. No configuration changes required.

Contributors

Thanks to all contributors who made this release possible.

Full Changelog

See the commit log for the complete list of changes.

Changelog

  • b4ffd8936c2f857152be8bdce733795aaf5f0fb1 Add fuzz testing to CI workflow
  • 6345ab0059dbc1a72e66b1d9972aef226d702ec6 Add fuzz tests and fix panic in ipFromString
  • a7735fab5ef452e1c41a89a0d5c5fc7484fb3425 Fix CodeQL autobuild and improve Scorecard compliance
  • c762a68bf740f8383ba466032116c60f1c44ae82 Fix CodeQL security alert (#339)
  • 8bbb9614b0bd7c9f69452cc1ddffaa1c1fda110d Fix MCPB build script for goreleaser arm64 directory naming
  • bdd56dd9eb5b2f01c8447c4bb2985835e6c9ac47 Improve OpenSSF Scorecard - Pin dependencies and restrict token permissions (#337)
  • 64510b08953bbee3307f37993da586c1988a85e3 MCP Bug Fixes and Improvements (#338)
  • ce94be833f48ffd2bb496f475c3152a03c09ee74 Pin mkdocs-material version in docs workflow
  • cafed0b17e55fa43686f07c25669cefa4be49b8f Sign MCPB bundles with Cosign and include in SLSA provenance
  • 56615cff93bcb546b3eb1c6562b77459f6bda8d9 deps: bump github.com/quic-go/quic-go from 0.54.0 to 0.57.0

Security Fixes

  • Fixed CodeQL alert: added bounds validation for IP octet parsing to prevent integer overflow (#339)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track txn2/kubefwd

Get notified when new releases ship.

Sign up free

About txn2/kubefwd

Kubernetes bulk port forwarding with service discovery, /etc/hosts management, traffic monitoring, and pod log streaming

All releases →

Related context

Beta — feedback welcome: [email protected]