KrakenD v2.9.4 CE and EE security releases

KrakenD CE 2.9.4 and KrakenD EE 2.9.4 are security releases that address several newly disclosed vulnerabilities affecting KrakenD EE and CE. The release ensures enhanced protection against known threats and maintains compliance with industry best practices for secure API gateways.

All KrakenD users are strongly encouraged to upgrade to version 2.9.4, even though some of the severities of these vulnerabilities have yet to be classified, and the potential impact is unknown.

Security Fixes

This release resolves the following vulnerabilities:

CVE-2025-30204 - JOSE Library Memory Exhaustion

A vulnerability in the JOSE header parsing logic could be exploited to trigger excessive memory allocation, potentially leading to denial-of-service (DoS) conditions.

Mitigation: The affected library has been patched to enforce stricter parsing limits and validation checks.

CVE-2025-22870 - HTTP Proxy Bypass via IPv6 Zone Identifiers

An issue in the Go network stack allowed attackers to bypass HTTP proxy settings using crafted IPv6 zone identifiers.

Mitigation: Proxy address sanitization has been improved to eliminate bypass vectors.

CVE-2025-22871 - Request Smuggling in Go’s net/http

The Go HTTP server accepted malformed chunked encoding headers, opening the door to request smuggling attacks.

Mitigation: The net/http package has been updated to reject malformed chunked transfer headers with stricter compliance checks.

CVE-2025-29923 - Redis Out-of-Order Responses Risk

A race condition when the CLIENT SETINFO command timed out during connection establishment could lead to out-of-order responses in Redis (Enterprise only).

Mitigation: Updated Redis client libraries now handle timeout scenarios safely, preserving request-response ordering.