chore(deps): update module golang.org/x/net to v0.45.0 [security] (main)

[redhat-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
golang.org/x/net	indirect	minor	v0.43.0 -> v0.45.0

---

Quadratic parsing complexity in golang.org/x/net/html

CVE-2025-47911 / GHSA-w4gw-w5jq-g9jh / GO-2026-4440

More information

Details

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

• https://go.dev/cl/709876
• https://github.com/golang/vulndb/issues/4440
• https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Infinite parsing loop in golang.org/x/net

CVE-2025-58190 / GO-2026-4441

More information

Details

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

• https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
• https://github.com/golang/vulndb/issues/4441
• https://go.dev/cl/709875

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[redhat-renovate-bot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
golang.org/x/sync	v0.16.0 -> v0.17.0
golang.org/x/sys	v0.35.0 -> v0.36.0
golang.org/x/term	v0.34.0 -> v0.35.0
golang.org/x/text	v0.28.0 -> v0.29.0
go	1.23.0 -> 1.24.0

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign alonakaplan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @redhat-renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing the security and stability of the project by updating core Go dependencies. It addresses known vulnerabilities in the HTML parsing library and incorporates various improvements and refactorings within the HTTP/2 stack, alongside a general update to the Go language version. The changes aim to ensure the application remains secure and performs optimally with the latest upstream fixes and features.

Highlights

• Security Update: The golang.org/x/net module has been updated to v0.45.0 to address two critical security vulnerabilities: an infinite parsing loop (CVE-2025-58190) and quadratic parsing complexity (CVE-2025-47911) in golang.org/x/net/html.Parse that could lead to Denial of Service (DoS).
• Dependency Updates: Several other golang.org/x modules have also been updated to their latest versions, including golang.org/x/sync to v0.17.0, golang.org/x/sys to v0.36.0, golang.org/x/term to v0.35.0, and golang.org/x/text to v0.29.0.
• Go Version Update: The required Go language version has been bumped from 1.23.0 to 1.24.0.
• HTML Parser Enhancements: The HTML parser in golang.org/x/net/html now includes a mechanism to prevent deep nesting of elements (limiting to 512 nodes) and handles panics gracefully by converting them to errors, improving robustness against malformed HTML.
• HTTP/2 Refinements: The HTTP/2 implementation has seen significant refactoring, including the removal of synctestGroupInterface for timer management, consolidation of HTTP/2 configuration logic, and the introduction of RFC 9218-based priority write scheduling.

Changelog

• go.mod
  • Updated golang.org/x/net from v0.43.0 to v0.45.0.
  • Updated golang.org/x/sync from v0.16.0 to v0.17.0.
  • Updated golang.org/x/sys from v0.35.0 to v0.36.0.
  • Updated golang.org/x/term from v0.34.0 to v0.35.0.
  • Updated golang.org/x/text from v0.28.0 to v0.29.0.
  • Updated Go language version from 1.23.0 to 1.24.0.
• go.sum
  • Updated checksums for golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, and golang.org/x/text.
• vendor/golang.org/x/net/html/escape.go
  • Modified a panic message to include 'html:' prefix for consistency.
• vendor/golang.org/x/net/html/parse.go
  • Enhanced panic messages with 'html: internal error:' prefix and more context.
  • Introduced insertOpenElement function to manage the open element stack, adding a panic if the stack exceeds 512 nodes to prevent infinite loops.
  • Updated calls to append(p.oe, ...) to use the new p.insertOpenElement(...).
  • Corrected a section reference in comments from '12.2.6.4.14.' to '13.2.6.4.14.'.
  • Improved parsing logic for inRowIM when handling EndTagToken for table-related elements, using elementInScope, clearStackToContext, and oe.pop() for better robustness.
  • Refined parseForeignContent to handle end tags more accurately, especially when the last element on the stack matches.
  • Added a defer recover block to the parse function to convert panics into returned errors.
  • Added a comment to the Parse function indicating rejection of HTML nested deeper than 512 elements.
• vendor/golang.org/x/net/html/render.go
  • Corrected a typo in a comment from 'beging' to 'being'.
• vendor/golang.org/x/net/http2/config.go
  • Added StrictMaxConcurrentRequests field to http2Config.
  • Refactored configFromServer and configFromTransport to use a new fillNetHTTPConfig function for centralized HTTP/2 configuration.
  • Added fillNetHTTPConfig function to populate http2Config from http.HTTP2Config.
• vendor/golang.org/x/net/http2/config_go124.go
  • Removed file (functionality refactored).
• vendor/golang.org/x/net/http2/config_go125.go
  • Added file with http2ConfigStrictMaxConcurrentRequests fallback for Go versions before 1.26.
• vendor/golang.org/x/net/http2/config_go126.go
  • Added file with http2ConfigStrictMaxConcurrentRequests implementation for Go 1.26+.
• vendor/golang.org/x/net/http2/config_pre_go124.go
  • Removed file (functionality refactored).
• vendor/golang.org/x/net/http2/frame.go
  • Corrected a comment typo in startWrite.
  • Added defaultRFC9218Priority and new urgency/incremental fields to PriorityParam for RFC 9218 prioritization.
  • Added a comment explaining the two HTTP/2 prioritization schemes (RFC 7540 and RFC 9218).
• vendor/golang.org/x/net/http2/gotrack.go
  • Introduced disableDebugGoroutines atomic boolean to prevent race detector issues in tests.
  • Updated goroutine tracking functions to respect disableDebugGoroutines.
• vendor/golang.org/x/net/http2/http2.go
  • Removed context import and inTests variable.
  • Removed synctestGroupInterface and related test-specific timer management.
  • Refactored bufferedWriter and writeWithByteTimeout to remove synctestGroupInterface dependency.
• vendor/golang.org/x/net/http2/server.go
  • Removed test-specific timer management (group, markNewGoroutine, now, newTimer, afterFunc) from Server.
  • Introduced per-Server errChanPool for error channel management.
  • Updated ConfigureServer to initialize the new errChanPool.
  • Ensured ServeConn handles nil options gracefully.
  • Changed timer fields (shutdownTimer, idleTimer, readIdleTimer, readDeadline, writeDeadline) from interface to concrete *time.Timer.
  • Replaced calls to custom timer functions and now() with standard time package functions.
  • Updated error channel pooling to use the new per-Server pool.
• vendor/golang.org/x/net/http2/timer.go
  • Removed file (timer interface replaced by concrete *time.Timer).
• vendor/golang.org/x/net/http2/transport.go
  • Removed test-specific timer management from Transport.
  • Added strictMaxConcurrentStreams field to ClientConn.
  • Removed group field from stickyErrWriter.
  • Replaced custom timer functions and now() with standard time package functions.
  • Added errClientConnForceClosed error.
  • Updated ClientConn.Close to use the new errClientConnForceClosed.
  • Updated newClientConn to initialize strictMaxConcurrentStreams.
• vendor/golang.org/x/net/http2/writesched.go
  • Added priority field to OpenStreamOptions.
• vendor/golang.org/x/net/http2/writesched_priority.go
  • Renamed to vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go.
  • Renamed types and constants to explicitly refer to RFC 7540 prioritization.
• vendor/golang.org/x/net/http2/writesched_priority_rfc9128.go
  • Added file implementing a new priority write scheduler based on RFC 9218.
• vendor/golang.org/x/net/http2/writesched_roundrobin.go
  • Corrected a typo in a comment from 'priorizes' to 'prioritizes'.
• vendor/golang.org/x/net/internal/httpcommon/request.go
  • Corrected typos in comments ('EncodeHeadersParam' to 'EncodeHeadersResult', 'returing' to 'returning').
• vendor/golang.org/x/net/internal/socks/socks.go
  • Corrected a typo in a comment from 'cancelation' to 'cancellation'.
• vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go
  • Removed file.
• vendor/golang.org/x/sys/plan9/pwd_plan9.go
  • Removed go:build !go1.5 directive.
  • Updated fixwd, Getwd, Chdir to use syscall package functions directly.
• vendor/golang.org/x/sys/unix/affinity_linux.go
  • Replaced manual loop for CPUSet.Zero() with clear(s[:]) for efficiency.
• vendor/golang.org/x/sys/unix/syscall_solaris.go
  • Updated Listen syscall definition from __xnet_llisten to __xnet_listen.
• vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
  • Updated dynamic import and linkname for Listen from __xnet_llisten to __xnet_listen.
• vendor/golang.org/x/sys/unix/ztypes_linux.go
  • Added new constants and IfAddrlblmsg struct for Linux network types.
• vendor/golang.org/x/sys/windows/types_windows.go
  • Added FileZeroDataInformation struct for Windows types.
• vendor/modules.txt
  • Updated versions and Go versions for golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, golang.org/x/text.

Activity

• This pull request was automatically generated by Renovate Bot to update Go module dependencies.
• The PR description details two security vulnerabilities (CVE-2025-58190 and CVE-2025-47911) in golang.org/x/net/html that are addressed by this update.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates golang.org/x/net and other dependencies, primarily to address critical security vulnerabilities CVE-2025-58190 (infinite parsing loop) and CVE-2025-47911 (quadratic parsing complexity) in the HTML parser. These changes effectively mitigate potential Denial of Service (DoS) attacks by introducing a hard limit of 512 nested elements in the insertOpenElement method and ensuring graceful error handling in the parse method within vendor/golang.org/x/net/html/parse.go. Beyond the security fixes, the PR also includes significant refactoring of the http2 package, introduces support for RFC 9218 (Extensible Priorities for HTTP), and incorporates general improvements such as a security enhancement to prevent URI misuse by checking for userinfo in the :authority pseudo-header in internal/httpcommon/request.go. While the security aspects are well-handled and no new vulnerabilities were introduced, a couple of minor issues related to clarity and maintainability were identified in the newly vendored code, which have been detailed in specific comments. Overall, this is a solid and necessary update that successfully integrates important security patches and follows best practices.

[gemini-code-assist]

This block of code appears to be a duplicate of lines 130-132. It should be removed to avoid redundancy and improve code clarity.

[gemini-code-assist]

There seems to be a typo in the filename. The file content refers to RFC 9218 for extensible prioritization, but the filename is writesched_priority_rfc9128.go. For consistency and to avoid confusion, it should probably be renamed to writesched_priority_rfc9218.go.