CVE-2025-1243 - Data Converter Not Applied to Update Responses in Temporal api-go Proxy (<v1.44.1)
Temporal is a popular open-source workflow orchestration platform often used by companies to build distributed applications. The api-go library is one of the main ways for Go applications to interact with Temporal. In January 2025, a new API—UpdateWorkflowExecution—was released, bringing enhanced update capabilities for workflows.
However, shortly after, a security vulnerability was discovered: CVE-2025-1243. This flaw affects proxy setups using api-go before v1.44.1, where the critical update response field wasn't passed through the Data Converter (the mechanism responsible for things like encryption and serialization), even though all other data fields were handled securely. Let's dive into the details, see some code, and discuss why this matters, even though some safeguards were in place.
What Happened?
When using a gRPC proxy built with the api-go library (prior to v1.44.1), if you called the new UpdateWorkflowExecution API, the update response data was sent _without_ being run through the application's Data Converter.
The Data Converter is used to handle transformations like serialization, compression, or encryption before any data is shipped off to your Temporal cluster. Normally, every field goes through this process, but because of this bug, the update response skipped it in proxy scenarios.
Why This Matters
- PROBLEM: The update response could be sent in plaintext or in a non-encrypted form, if your Data Converter encrypts data at this layer, while in-proxy.
- LIMITATION: This only affects users with a proxy package using the api-go library < v1.44.1 and only for the UpdateWorkflowExecution API. Other API fields and scenarios were safe.
- MITIGATION: Data *was* still protected in-transit (SSL/TLS), and Temporal Cloud wasn't affected. Databases and Data Converter servers weren't at risk.
- RISK: The window for attack is narrow, but if your organization implemented "application-level encryption" via the Data Converter and depended on the proxy, the update response could leak or be readable where it shouldn't.
You use Temporal's UpdateWorkflowExecution API
- Your architecture has a gRPC proxy implemented with the api-go library version _before_ v1.44.1
Within the proxy, here's a simplified sketch of what would happen
// Before v1.44.1 - updateResponse not going through Data Converter
func handleUpdateWorkflow(ctx context.Context, req *UpdateRequest) (*UpdateResponse, error) {
// ... handle the workflow update
response := &UpdateResponse{ Result: sensitiveResult }
// Other fields like inputs, outputs DO go through Data Converter
// But updateResponse is sent to the proxy untouched!
return response, nil
}
// gRPC proxy just forwards response
func proxyUpdateWorkflow(ctx context.Context, req *UpdateRequest) (*UpdateResponse, error) {
// Calls handleUpdateWorkflow and returns response directly
return handleUpdateWorkflow(ctx, req)
}
Now, if your Data Converter applies custom logic (e.g. it encrypts all fields), the update response wouldn't be processed correctly.
How the Patch Looks
After upgrading to api-go v1.44.1 or later, the library ensures the Data Converter processes the update response:
// v1.44.1+ ensures Data Converter is called
func handleUpdateWorkflow(ctx context.Context, req *UpdateRequest) (*UpdateResponse, error) {
response := &UpdateResponse{ Result: sensitiveResult }
// Now Data Converter transforms every response field
encryptedResponse, err := dataConverter.ToPayload(response)
if err != nil {
return nil, err
}
return encryptedResponse, nil
}
Exploit Scenario
Attacker Model:
The attacker would need to have access to inspect traffic or logs from the proxy between the application and the Temporal cluster. If the Data Converter should have encrypted the update response, but didn't, it could leak plaintext data.
Limitations:
- Data was always still SSL/TLS encrypted in flight
Temporal Cloud users were safe
Potential Impact:
An attacker who gained access to intermediate proxy logs or memory could see sensitive data in update responses that should have been encrypted by a Data Converter, but was not.
If you log or inspect responses at the proxy application
receivedUpdateResponse := proxyUpdateWorkflow(ctx, updateRequest)
fmt.Printf("Proxy logging update response: %+v\n", receivedUpdateResponse)
In a vulnerable version, this might print _real application data_ in plaintext, even if your Data Converter is configured to encrypt it everywhere else.
How to Fix
- Upgrade: Immediately upgrade to Temporal's api-go v1.44.1 or newer.
- Review Data Converters: Double-check your Data Converter config and make sure it's set up for all data flows.
- Scan Logs and Audit: If you have been affected, scan logs or debug snapshots from your gRPC proxy for plaintext update responses.
References & Further Reading
- Advisory: Temporal Security Advisory CVE-2025-1243 (api-go Update Response Issue)
- Temporal api-go Changelog
- Temporal Data Converter Documentation
- Temporal Server Security Overview
- CVE-2025-1243 NVD Entry (placeholder until published)
Conclusion
CVE-2025-1243 is a reminder that proxies and middleware must carefully honor application data transformations like encryption or serialization—even in "internal" microservice traffic. If you use Temporal's UpdateWorkflowExecution API with api-go in a proxy, verify your version and update immediately to v1.44.1 or greater.
Stay safe, and always keep an eye on your security advisories and library upgrades!
*This post is exclusive to this thread and written for clarity for both developers and security teams.*
Timeline
Published on: 02/12/2025 01:15:09 UTC