deps: Upgrade 9 packages to remove 21 vulnerabilities

[BacklineAI]

🔐 Security Vulnerability Fixes

✅ This pull request was created and verified by Backline to fix security vulnerabilities in your dependencies.

---

📦 Package Updates & Vulnerability Fixes

github.com/astaxie/beego

v1.12.1 → v1.12.2

• 🟨 CVE-2019-16354 - Beego has a file creation race condition.
• 🟨 CVE-2019-16355 - Incorrect Default Permissions in Beego.

github.com/beego/beego/v2

v2.2.0 → v2.2.1

• 🟥 CVE-2025-30223 - Beego allows Reflected/Stored XSS in Beego's RenderForm() Function Due to Unescaped User Input.
• 🟧 CVE-2024-40464 - Beego privilege escalation vulnerability.
• 🟧 CVE-2024-40465 - Beego privilege escalation vulnerability.
• 🟨 CVE-2024-55885 - Beego has Collision Hazards of MD5 in Cache Key Filenames.

github.com/gin-gonic/gin

v1.3.0 → v1.9.1

• 🟥 CVE-2019-25211 - github.com/gin-contrib/cors: Gin mishandles a wildcard in the origin string in github.com/gin-contrib/cors.
• 🟧 CVE-2020-28483 - gin: HTTP response splitting.
• 🟧 CVE-2020-36567 - gin: Unsanitized input in the default logger in github.com/gin-gonic/gin.
• 🟨 CVE-2023-26125 - golang-github-gin-gonic-gin: Improper Input Validation.

github.com/gofiber/fiber/v2

v2.52.4 → v2.52.9

• 🟥 CVE-2024-38513 - Session Middleware Token Injection Vulnerability.
• 🟧 CVE-2025-54801 - Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder.

github.com/gomarkdown/markdown

v0.0.0-20231222211730-1d6d20845b47 → v0.0.0-20240729212818-a2a9c4f76ef5 (Recommended: <= 0.0.0-20240729212818-a2a9c4f76ef5)

• 🟨 CVE-2024-44337 - gomarkdown/markdown: infinite loop via the paragraph function of parser/block.go.

github.com/sirupsen/logrus

v1.9.0 → v1.9.1 (Recommended: <= 1.9.1)

• 🟧 CVE-2025-65637 - github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload.

golang.org/x/crypto

v0.31.0 → v0.39.0

• 🟧 CVE-2025-22869 - golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh.
• 🟨 CVE-2025-47914 - golang.org/x/crypto/ssh/agent: in golang.org/x/crypto/ssh/agent.
• 🟨 CVE-2025-58181 - golang.org/x/crypto/ssh: in golang.org/x/crypto/ssh.

golang.org/x/net

v0.21.0 → v0.38.0 (Recommended: <= 0.38.0)

• 🟨 CVE-2023-45288 - golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS.
• 🟨 CVE-2025-22870 - golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net.
• 🟨 CVE-2025-22872 - golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net.

google.golang.org/protobuf

v1.32.0 → v1.33.0 (Recommended: <= 1.33.0)

• 🟨 CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON.

^{Legend: 🟥 Critical | 🟧 High | 🟨 Medium | 🟦 Low}

---

⚠️ Breaking Change Notice

** version upgrade to 1.24.0**
Please review the following before merging:

• 🔧 Local Development: Update your local installation to 1.24.0
• 🚀 CI/CD Pipeline: Verify build pipelines and Docker images use 1.24.0
• 📋 Dependencies: Ensure all build tools are compatible with the new version

---

Backline is here to help accelerate the remediation of your security backlog. Here's how we operate:

📥 Fetch Findings – Gather security issues
🔍 Analyze Findings – Understand the context and impact
📝 Plan Remediation – Generate a safe and effective fix strategy
👷 Apply Fix – Implement the remediation in code
🧪 Validate Code – Ensure the changes maintain code quality and integrity
✅ Verify – Run tests to ensure correctness and stability