Skip to content

Update module golang.org/x/net to v0.55.0 [SECURITY] (release-0.34)#521

Open
redhat-renovate-bot wants to merge 1 commit into
release-0.34from
renovate/release-0.34-go-golang.org-x-net-vulnerability
Open

Update module golang.org/x/net to v0.55.0 [SECURITY] (release-0.34)#521
redhat-renovate-bot wants to merge 1 commit into
release-0.34from
renovate/release-0.34-go-golang.org-x-net-vulnerability

Conversation

@redhat-renovate-bot

@redhat-renovate-bot redhat-renovate-bot commented May 23, 2026

Copy link
Copy Markdown
Collaborator

This PR contains the following updates:

Package Type Update Change
golang.org/x/net indirect minor v0.33.0v0.55.0

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Quadratic parsing complexity in golang.org/x/net/html

CVE-2025-47911 / GHSA-w4gw-w5jq-g9jh / GO-2026-4440

More information

Details

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Infinite parsing loop in golang.org/x/net

CVE-2025-58190 / GO-2026-4441

More information

Details

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

BIT-golang-2026-33814 / CVE-2026-33814 / GO-2026-4918

More information

Details

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Go Net HTML parser is vulnerable to denial of service

CVE-2026-25680 / GHSA-5cv4-jp36-h3mw / GO-2026-5028

More information

Details

In Go Net (golang.org/x/net) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

CVE-2026-42506 / GO-2026-5025

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

CVE-2026-39821 / GO-2026-5026

More information

Details

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

CVE-2026-42502 / GO-2026-5027

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

CVE-2026-25680 / GHSA-5cv4-jp36-h3mw / GO-2026-5028

More information

Details

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

CVE-2026-25681 / GO-2026-5029

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-27136 / GO-2026-5030

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Signed-off-by: redhat-renovate-bot <redhat-internal-renovate@redhat.com>
@redhat-renovate-bot redhat-renovate-bot added the release-note-none Denotes a PR that doesn't merit a release note. label May 23, 2026
@redhat-renovate-bot

Copy link
Copy Markdown
Collaborator Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 3 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
golang.org/x/sys v0.28.0 -> v0.45.0
golang.org/x/term v0.27.0 -> v0.43.0
golang.org/x/text v0.21.0 -> v0.37.0
go 1.22.0 -> 1.25.0

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label May 23, 2026
@kubevirt-bot

Copy link
Copy Markdown
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign schseba for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot

Copy link
Copy Markdown
Collaborator

@redhat-renovate-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-e2e-ovs-cni f4be141 link true /test pull-e2e-ovs-cni-0.34
Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request performs a major update to vendored dependencies, notably refactoring the http2 package for Go 1.27+ compatibility and RFC 9218 prioritization, updating idna for Unicode 16.0.0, and expanding syscall support in x/sys. Critical feedback includes the incorrect use of an unreleased Go version (1.25.0) in go.mod and a breaking change in the HTML parser's attribute ordering. The review also highlights regressions in error reporting for unknown frame types, non-compliance with RFC 9651 in the httpsfv parser regarding hex case-sensitivity and strict comma separation, and performance inefficiencies in the tokenizer's attribute handling. Additionally, the single-entry buffer for PRIORITY_UPDATE frames was flagged as potentially insufficient for complex sessions.

Comment thread go.mod
go 1.22.0

toolchain go1.22.5
go 1.25.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The go directive is set to 1.25.0. This version of Go has not been released yet (Go 1.24 is the current/upcoming version). This will cause build failures in most environments as the Go toolchain will refuse to compile a module requiring a future version.


// In order to optimize the search, we need the attributes to be sorted, so we
// can just use slices.Equal.
slices.SortFunc(attr, attrCompare)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Sorting attributes in-place on the token's attribute slice (which is shared with the Node added to the tree) is a breaking change in behavior. While HTML attributes are generally unordered, x/net/html has historically preserved the original order. This change will affect the output of Render and may break tools or tests that rely on attribute order. Consider sorting a copy of the attributes for comparison purposes instead of mutating the tree nodes.

Comment on lines +389 to +390
slices.SortFunc(top.Attr, attrCompare)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This call to slices.SortFunc is redundant. The attributes of top.Attr were already sorted at line 358 because top.Attr points to the same slice as the attr variable used earlier in this function.

References
  1. Avoid redundant operations and unnecessary calculations to maintain efficiency and clarity. (link)

Comment on lines +886 to +887
key := strings.ToLower(string(z.buf[z.pendingAttr[0].start:z.pendingAttr[0].end]))
if saveAttr && z.pendingAttr[0].start != z.pendingAttr[0].end && !z.attrNames[key] {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The key string is allocated and strings.ToLower is called for every attribute, even when saveAttr is false. When saveAttr is false (e.g., during some internal parsing phases where attributes are ignored), these allocations are unnecessary and can impact performance. The logic should be moved inside the if saveAttr block.

if saveAttr && z.pendingAttr[0].start != z.pendingAttr[0].end {
			key := strings.ToLower(string(z.buf[z.pendingAttr[0].start:z.pendingAttr[0].end]))
			if !z.attrNames[key] {
				z.attr = append(z.attr, z.pendingAttr)
				z.attrNames[key] = true
			}
		}

Comment on lines +61 to 63
if int(t) < len(frameNames) {
return frameNames[t]
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The String() method for FrameType will return an empty string for unregistered frame types that fall within the gaps of the frameNames array. This is a regression that silently swallows the unknown state. It should check if the array entry is empty and return a meaningful string like UNKNOWN_FRAME_TYPE_n instead, ensuring the unknown state is propagated to the caller.

func (t FrameType) String() string {
	if int(t) < len(frameNames) && frameNames[t] != "" {
		return frameNames[t]
	}
	return fmt.Sprintf("UNKNOWN_FRAME_TYPE_%d", t)
}
References
  1. Utility functions should not silently swallow errors or unknown states. They should propagate errors or return meaningful information to the caller so that error handling is meaningful.

Comment on lines +111 to +113
q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental
if q == nil {
ws.priorityUpdateBuf.streamID = streamID

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The priorityUpdateBuf only stores a single PRIORITY_UPDATE for an unopened stream. If a client sends multiple PRIORITY_UPDATE frames for different streams before they are opened, only the last one will be applied. While RFC 9218 allows buffering, a single-entry buffer might be insufficient and lead to unexpected prioritization behavior for complex sessions.

decBase16 := func(in byte) (out byte, ok bool) {
if !isDigit(in) && !(in >= 'a' && in <= 'f') {
return 0, false
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

RFC 9651 Section 3.3.8 specifies that hexadecimal digits in Display Strings are case-insensitive. The current implementation of decBase16 only accepts lowercase letters 'a' through 'f', which will cause parsing failures for valid SFV strings containing uppercase hex digits.

if !isDigit(in) && !(in >= 'a' && in <= 'f') && !(in >= 'A' && in <= 'F') {
			return 0, false
		}
		if isDigit(in) {
			return in - '0', true
		}
		if in >= 'a' && in <= 'f' {
			return in - 'a' + 10, true
		}
		return in - 'A' + 10, true

Comment on lines +250 to +252
}
s = s[countLeftWhitespace(s):]
if len(s) == 0 {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In ParseDictionary, the comma separator check is too lenient. If a comma is missing between members but there is trailing content, the parser will attempt to parse the next key immediately. This silently swallows the formatting error and is inconsistent with ParseList and RFC 9651 Section 4.2.1.2. The parser should strictly check for the comma to ensure errors are not swallowed.

Suggested change
}
s = s[countLeftWhitespace(s):]
if len(s) == 0 {
if s[0] != ',' {
return false
}
s = s[1:]
References
  1. Utility functions should not silently swallow errors. They should propagate errors to the caller so that error handling at the call site is meaningful.

@redhat-renovate-bot redhat-renovate-bot changed the title chore(deps): update module golang.org/x/net to v0.55.0 [security] (release-0.34) Update module golang.org/x/net to v0.55.0 [SECURITY] (release-0.34) Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note-none Denotes a PR that doesn't merit a release note.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants