The Wire · Showcase
CONSUL PATCHES THREE CONTAINER ESCAPE VULNERABILITIES, AWS CLEANUP OVERHAUL SHIPS
By RepoJournal · Filed · About HashiCorp
Consul's test suite just pulled in fixes for three high-severity container escape CVEs by jumping testcontainers-go five major versions, while the AWS cleanup script got a complete rewrite to handle IAM policy exhaustion.
The big move came out of the Consul repo [1], where Dependabot flagged three HIGH CVEs in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) all allowing container escape. Rather than patch the leaf dependency, the team upgraded testcontainers-go from v0.22.0 to v0.40.0 and Docker from v24.0.5 to v28.5.1, pulling in the fixes transitively. That's the right call for a test dependency - get upstream's full fix, not a backport. Over in consul-k8s, the enhanced AWS cleanup script [2] [3] shipped after hitting IAM policy quota walls during Terraform provisioning. The rewrite adds cleanupIAMPolicies to sweep stale policies, removeRoleFromInstanceProfiles to resolve DeleteConflict errors, and switches to aws-sdk-go-v2. Vault SDK got a major bump in Consul [4], jumping from v0.7.0 to v0.25.1 alongside Vault API v1.12.2 to v1.16.0, with downstream bumps to Prometheus client and yamux. Two production fixes landed back-to-back in the gateway layer: one adds observability for gateway failures [5], while a more critical fix [6] stops 503 cluster_not_found errors when adding routes to busy API gateways by fixing how watch.Map.InitWatch cancels existing watches.
Action items
- → Verify testcontainers-go v0.40.0 in your integration test runs, especially if you're pulling container images hashicorp/consul [plan]
- → If you're running consul-k8s on AWS with large deployments, plan to upgrade for the IAM cleanup fixes hashicorp/consul-k8s [plan]
- → Deploy the gateway 503 fix [ref:7] if you're running API gateways with dynamic route updates hashicorp/consul [immediate]
References
- [1] deps(test-integ): upgrade testcontainers-go v0.22.0->v0.40.0, docker v24.0.5->v28.5.1 ↗ hashicorp/consul
- [2] Enhanced AWS cleanup script ↗ hashicorp/consul-k8s
- [3] Enhanced AWS cleanup script (#5208) hashicorp/consul-k8s
- [4] build(deps): bump github.com/hashicorp/vault/sdk from v0.7.0 to v0.25.1 ↗ hashicorp/consul
- [5] add gateway failures ↗ hashicorp/consul
- [6] fix: fixed 503 errors when adding routes to a busy gateway ↗ hashicorp/consul
FAQ
- What changed in HashiCorp on May 20, 2026?
- Consul's test suite just pulled in fixes for three high-severity container escape CVEs by jumping testcontainers-go five major versions, while the AWS cleanup script got a complete rewrite to handle IAM policy exhaustion.
- What should HashiCorp teams do about it?
- Verify testcontainers-go v0.40.0 in your integration test runs, especially if you're pulling container images • If you're running consul-k8s on AWS with large deployments, plan to upgrade for the IAM cleanup fixes • Deploy the gateway 503 fix [ref:7] if you're running API gateways with dynamic route updates
- Which HashiCorp repositories shipped on May 20, 2026?
- hashicorp/consul, hashicorp/consul-k8s