Temporal api-go Library gRPC Proxy Update Response Data Handling Vulnerability

A vulnerability exists in the Temporal api-go library in versions prior to 1.44.1, specifically when the proxy package is used in a gRPC proxy before transmission. The issue arises with the UpdateWorkflowExecution APIs, released on January 13, 2025, where the library failed to send update response information to the Data Converter. As a result, the update response field did not undergo the necessary Data Converter transformations, such as encryption. While other data fields were correctly processed, this oversight could lead to unencrypted sensitive information being transmitted when using the UpdateWorkflowExecution APIs with an affected proxy.

Impact

Exploitation of this vulnerability could result in sensitive information being transmitted without encryption, potentially exposing it to interception during transit.

Remediation

Users can upgrade to the Temporal api-go library version 1.44.1 or later, where this issue has been addressed.