VolSync v0.12 general availability release images, which provide
enhancements, security fixes, and updated container images.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

VolSync v0.12.1 is a Kubernetes operator that enables asynchronous
replication of persistent volumes within a cluster, or across clusters. After
deploying the VolSync operator, it can create and maintain copies of your
persistent data.

For more information about VolSync, see:

https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/

This advisory contains enhancements and updates to the VolSync
container images.

Security fix(es):

* golang.org/x/oauth2: Unexpected memory consumption during token parsing in
golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
golang.org/x/crypto/ssh (CVE-2025-22869)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-22868: Improper Validation of Syntactic Correctness of Input
 (CWE-1286)
CVE-2025-22869: Allocation of Resources Without Limits or Throttling (CWE-770)