Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
Description
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dex 2.37.0 ignores its TLS configuration, allowing insecure TLS 1.0/1.1 and weak cipher suites despite setting TLS 1.2 as the minimum version.
Vulnerability
Summary In Dex 2.37.0, the identity service introduced a TLS certificate reloader feature that inadvertently bypassed the entire tlsConfig block. Although cmd/dex/serve.go line 425 specifies MinVersion as TLS 1.2, this configuration is never applied after the reloader was added, causing the server to accept connections using deprecated TLS 1.0 and TLS 1.1 [1][2]. The configured cipher suites are also ignored, leaving the server with weak, older cipher suites enabled [2].
Exploitation
Details The vulnerability is present when Dex serves HTTPS traffic. An attacker in a position to perform a man-in-the-middle attack or downgrade attack can exploit the acceptance of older TLS versions and insecure cipher suites [2]. The issue does not require authentication; any client connecting to the Dex HTTPS endpoint can negotiate TLS 1.0 or 1.1, including weak ciphers like 3DES and CBC-SHA variants [2].
Impact
By forcing a connection to use TLS 1.0 or 1.1, an attacker can decrypt or modify the traffic between clients and Dex, potentially compromising authentication tokens and user credentials [1][2]. The use of weak cipher suites further reduces the security of the encrypted channel, facilitating attacks such as BEAST or POODLE.
Mitigation
The issue is fixed in Dex version 2.38.0, which properly applies the configured TLS settings and introduces configurable TLS version parameters for both web and gRPC endpoints [1][4]. Users running 2.37.0 should upgrade immediately or consider deploying a reverse proxy with enforced TLS policies as a temporary workaround.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dexidp/dexGo | >= 2.37.0, < 2.38.0 | 2.38.0 |
github.com/dexidp/dexGo | < 0.0.0-20240125115555-5bbdb4420254 | 0.0.0-20240125115555-5bbdb4420254 |
Affected products
1Patches
15bbdb4420254feat: add TLS versions configuration
4 files changed · +49 −9
cmd/dex/config.go+15 −5 modified@@ -64,10 +64,16 @@ func (c Config) Validate() error { {c.Web.HTTP == "" && c.Web.HTTPS == "", "must supply a HTTP/HTTPS address to listen on"}, {c.Web.HTTPS != "" && c.Web.TLSCert == "", "no cert specified for HTTPS"}, {c.Web.HTTPS != "" && c.Web.TLSKey == "", "no private key specified for HTTPS"}, + {c.Web.TLSMinVersion != "" && c.Web.TLSMinVersion != "1.2" && c.Web.TLSMinVersion != "1.3", "supported TLS versions are: 1.2, 1.3"}, + {c.Web.TLSMaxVersion != "" && c.Web.TLSMaxVersion != "1.2" && c.Web.TLSMaxVersion != "1.3", "supported TLS versions are: 1.2, 1.3"}, + {c.Web.TLSMaxVersion != "" && c.Web.TLSMinVersion != "" && c.Web.TLSMinVersion > c.Web.TLSMaxVersion, "TLSMinVersion greater than TLSMaxVersion"}, {c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"}, {c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"}, {(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"}, {c.GRPC.TLSCert == "" && c.GRPC.TLSClientCA != "", "cannot specify gRPC TLS client CA without a gRPC TLS cert"}, + {c.GRPC.TLSMinVersion != "" && c.GRPC.TLSMinVersion != "1.2" && c.GRPC.TLSMinVersion != "1.3", "supported TLS versions are: 1.2, 1.3"}, + {c.GRPC.TLSMaxVersion != "" && c.GRPC.TLSMaxVersion != "1.2" && c.GRPC.TLSMaxVersion != "1.3", "supported TLS versions are: 1.2, 1.3"}, + {c.GRPC.TLSMaxVersion != "" && c.GRPC.TLSMinVersion != "" && c.GRPC.TLSMinVersion > c.GRPC.TLSMaxVersion, "TLSMinVersion greater than TLSMaxVersion"}, } var checkErrors []string @@ -149,6 +155,8 @@ type Web struct { HTTPS string `json:"https"` TLSCert string `json:"tlsCert"` TLSKey string `json:"tlsKey"` + TLSMinVersion string `json:"tlsMinVersion"` + TLSMaxVersion string `json:"tlsMaxVersion"` AllowedOrigins []string `json:"allowedOrigins"` AllowedHeaders []string `json:"allowedHeaders"` } @@ -163,11 +171,13 @@ type Telemetry struct { // GRPC is the config for the gRPC API. type GRPC struct { // The port to listen on. - Addr string `json:"addr"` - TLSCert string `json:"tlsCert"` - TLSKey string `json:"tlsKey"` - TLSClientCA string `json:"tlsClientCA"` - Reflection bool `json:"reflection"` + Addr string `json:"addr"` + TLSCert string `json:"tlsCert"` + TLSKey string `json:"tlsKey"` + TLSClientCA string `json:"tlsClientCA"` + TLSMinVersion string `json:"tlsMinVersion"` + TLSMaxVersion string `json:"tlsMaxVersion"` + Reflection bool `json:"reflection"` } // Storage holds app's storage configuration.
cmd/dex/config_test.go+6 −2 modified@@ -71,7 +71,9 @@ storage: connMaxLifetime: 30 connectionTimeout: 3 web: - http: 127.0.0.1:5556 + https: 127.0.0.1:5556 + tlsMinVersion: 1.3 + tlsMaxVersion: 1.2 frontend: dir: ./web @@ -144,7 +146,9 @@ logger: }, }, Web: Web{ - HTTP: "127.0.0.1:5556", + HTTPS: "127.0.0.1:5556", + TLSMinVersion: "1.3", + TLSMaxVersion: "1.2", }, Frontend: server.WebConfig{ Dir: "./web",
cmd/dex/serve.go+26 −2 modified@@ -145,9 +145,23 @@ func runServe(options serveOptions) error { tls.TLS_RSA_WITH_AES_256_GCM_SHA384, } + allowedTLSVersions := map[string]int{ + "1.2": tls.VersionTLS12, + "1.3": tls.VersionTLS13, + } + if c.GRPC.TLSCert != "" { + tlsMinVersion := tls.VersionTLS12 + if c.GRPC.TLSMinVersion != "" { + tlsMinVersion = allowedTLSVersions[c.GRPC.TLSMinVersion] + } + tlsMaxVersion := 0 // default for max is whatever Go defaults to + if c.GRPC.TLSMaxVersion != "" { + tlsMaxVersion = allowedTLSVersions[c.GRPC.TLSMaxVersion] + } baseTLSConfig := &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: uint16(tlsMinVersion), + MaxVersion: uint16(tlsMaxVersion), CipherSuites: allowedTLSCiphers, PreferServerCipherSuites: true, } @@ -422,8 +436,18 @@ func runServe(options serveOptions) error { return fmt.Errorf("listening (%s) on %s: %v", name, c.Web.HTTPS, err) } + tlsMinVersion := tls.VersionTLS12 + if c.Web.TLSMinVersion != "" { + tlsMinVersion = allowedTLSVersions[c.Web.TLSMinVersion] + } + tlsMaxVersion := 0 // default for max is whatever Go defaults to + if c.Web.TLSMaxVersion != "" { + tlsMaxVersion = allowedTLSVersions[c.Web.TLSMaxVersion] + } + baseTLSConfig := &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: uint16(tlsMinVersion), + MaxVersion: uint16(tlsMaxVersion), CipherSuites: allowedTLSCiphers, PreferServerCipherSuites: true, }
config.yaml.dist+2 −0 modified@@ -55,6 +55,8 @@ web: # https: 127.0.0.1:5554 # tlsCert: /etc/dex/tls.crt # tlsKey: /etc/dex/tls.key + # tlsMinVersion: 1.2 + # tlsMaxVersion: 1.3 # Dex UI configuration # frontend:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-gr79-9v6v-gc9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23656ghsaADVISORY
- github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.goghsax_refsource_MISCWEB
- github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17ghsax_refsource_MISCWEB
- github.com/dexidp/dex/issues/2848ghsax_refsource_MISCWEB
- github.com/dexidp/dex/pull/2964ghsax_refsource_MISCWEB
- github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.