Update module golang.org/x/net to v0.55.0 [SECURITY] (release-0.34)#521
Conversation
Signed-off-by: redhat-renovate-bot <redhat-internal-renovate@redhat.com>
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: redhat-renovate-bot The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@redhat-renovate-bot: The following test failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Code Review
This pull request performs a major update to vendored dependencies, notably refactoring the http2 package for Go 1.27+ compatibility and RFC 9218 prioritization, updating idna for Unicode 16.0.0, and expanding syscall support in x/sys. Critical feedback includes the incorrect use of an unreleased Go version (1.25.0) in go.mod and a breaking change in the HTML parser's attribute ordering. The review also highlights regressions in error reporting for unknown frame types, non-compliance with RFC 9651 in the httpsfv parser regarding hex case-sensitivity and strict comma separation, and performance inefficiencies in the tokenizer's attribute handling. Additionally, the single-entry buffer for PRIORITY_UPDATE frames was flagged as potentially insufficient for complex sessions.
| go 1.22.0 | ||
|
|
||
| toolchain go1.22.5 | ||
| go 1.25.0 |
|
|
||
| // In order to optimize the search, we need the attributes to be sorted, so we | ||
| // can just use slices.Equal. | ||
| slices.SortFunc(attr, attrCompare) |
There was a problem hiding this comment.
Sorting attributes in-place on the token's attribute slice (which is shared with the Node added to the tree) is a breaking change in behavior. While HTML attributes are generally unordered, x/net/html has historically preserved the original order. This change will affect the output of Render and may break tools or tests that rely on attribute order. Consider sorting a copy of the attributes for comparison purposes instead of mutating the tree nodes.
| slices.SortFunc(top.Attr, attrCompare) | ||
|
|
There was a problem hiding this comment.
This call to slices.SortFunc is redundant. The attributes of top.Attr were already sorted at line 358 because top.Attr points to the same slice as the attr variable used earlier in this function.
References
- Avoid redundant operations and unnecessary calculations to maintain efficiency and clarity. (link)
| key := strings.ToLower(string(z.buf[z.pendingAttr[0].start:z.pendingAttr[0].end])) | ||
| if saveAttr && z.pendingAttr[0].start != z.pendingAttr[0].end && !z.attrNames[key] { |
There was a problem hiding this comment.
The key string is allocated and strings.ToLower is called for every attribute, even when saveAttr is false. When saveAttr is false (e.g., during some internal parsing phases where attributes are ignored), these allocations are unnecessary and can impact performance. The logic should be moved inside the if saveAttr block.
if saveAttr && z.pendingAttr[0].start != z.pendingAttr[0].end {
key := strings.ToLower(string(z.buf[z.pendingAttr[0].start:z.pendingAttr[0].end]))
if !z.attrNames[key] {
z.attr = append(z.attr, z.pendingAttr)
z.attrNames[key] = true
}
}| if int(t) < len(frameNames) { | ||
| return frameNames[t] | ||
| } |
There was a problem hiding this comment.
The String() method for FrameType will return an empty string for unregistered frame types that fall within the gaps of the frameNames array. This is a regression that silently swallows the unknown state. It should check if the array entry is empty and return a meaningful string like UNKNOWN_FRAME_TYPE_n instead, ensuring the unknown state is propagated to the caller.
func (t FrameType) String() string {
if int(t) < len(frameNames) && frameNames[t] != "" {
return frameNames[t]
}
return fmt.Sprintf("UNKNOWN_FRAME_TYPE_%d", t)
}References
- Utility functions should not silently swallow errors or unknown states. They should propagate errors or return meaningful information to the caller so that error handling is meaningful.
| q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental | ||
| if q == nil { | ||
| ws.priorityUpdateBuf.streamID = streamID |
There was a problem hiding this comment.
The priorityUpdateBuf only stores a single PRIORITY_UPDATE for an unopened stream. If a client sends multiple PRIORITY_UPDATE frames for different streams before they are opened, only the last one will be applied. While RFC 9218 allows buffering, a single-entry buffer might be insufficient and lead to unexpected prioritization behavior for complex sessions.
| decBase16 := func(in byte) (out byte, ok bool) { | ||
| if !isDigit(in) && !(in >= 'a' && in <= 'f') { | ||
| return 0, false | ||
| } |
There was a problem hiding this comment.
RFC 9651 Section 3.3.8 specifies that hexadecimal digits in Display Strings are case-insensitive. The current implementation of decBase16 only accepts lowercase letters 'a' through 'f', which will cause parsing failures for valid SFV strings containing uppercase hex digits.
if !isDigit(in) && !(in >= 'a' && in <= 'f') && !(in >= 'A' && in <= 'F') {
return 0, false
}
if isDigit(in) {
return in - '0', true
}
if in >= 'a' && in <= 'f' {
return in - 'a' + 10, true
}
return in - 'A' + 10, true| } | ||
| s = s[countLeftWhitespace(s):] | ||
| if len(s) == 0 { |
There was a problem hiding this comment.
In ParseDictionary, the comma separator check is too lenient. If a comma is missing between members but there is trailing content, the parser will attempt to parse the next key immediately. This silently swallows the formatting error and is inconsistent with ParseList and RFC 9651 Section 4.2.1.2. The parser should strictly check for the comma to ensure errors are not swallowed.
| } | |
| s = s[countLeftWhitespace(s):] | |
| if len(s) == 0 { | |
| if s[0] != ',' { | |
| return false | |
| } | |
| s = s[1:] |
References
- Utility functions should not silently swallow errors. They should propagate errors to the caller so that error handling at the call site is meaningful.
This PR contains the following updates:
v0.33.0→v0.55.0HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503
More information
Details
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503
More information
Details
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
golang.org/x/net vulnerable to Cross-site Scripting
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Quadratic parsing complexity in golang.org/x/net/html
CVE-2025-47911 / GHSA-w4gw-w5jq-g9jh / GO-2026-4440
More information
Details
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Infinite parsing loop in golang.org/x/net
CVE-2025-58190 / GO-2026-4441
More information
Details
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
BIT-golang-2026-33814 / CVE-2026-33814 / GO-2026-4918
More information
Details
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Go Net HTML parser is vulnerable to denial of service
CVE-2026-25680 / GHSA-5cv4-jp36-h3mw / GO-2026-5028
More information
Details
In Go Net (
golang.org/x/net) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
CVE-2026-42506 / GO-2026-5025
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
CVE-2026-39821 / GO-2026-5026
More information
Details
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.
This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
CVE-2026-42502 / GO-2026-5027
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
CVE-2026-25680 / GHSA-5cv4-jp36-h3mw / GO-2026-5028
More information
Details
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
CVE-2026-25681 / GO-2026-5029
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
CVE-2026-27136 / GO-2026-5030
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.