AIKIDO-2026-10352
github.com/zalando/skipper is vulnerable to Race Condition
41
Medium Risk
This Affects:
github.com/zalando/skipperTL;DR
Affected versions of this package contain a race condition in the internal request tracing logic where httptrace callbacks may access a shared statebag concurrently without proper synchronization, leading to a runtime panic. Because the statebag was used to propagate time.Time values across tracing hooks, concurrent access could corrupt state and crash the application. An attacker could exploit this condition by triggering multiple concurrent requests that invoke httptrace callbacks simultaneously, causing repeated panics and resulting in a denial-of-service condition by crashing or destabilizing the service handling those requests.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/zalando/skipper is vulnerable to Race Condition in versions 0.11.70 - 0.24.47.
How to fix this
Upgrade the github.com/zalando/skipper library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant