Skip to content

Update module golang.org/x/net to v0.55.0 [SECURITY]#65

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-golang.org-x-net-vulnerability
Open

Update module golang.org/x/net to v0.55.0 [SECURITY]#65
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-golang.org-x-net-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 17, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
golang.org/x/net v0.41.0v0.55.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Quadratic parsing complexity in golang.org/x/net/html

CVE-2025-47911 / GHSA-w4gw-w5jq-g9jh / GO-2026-4440

More information

Details

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Infinite parsing loop in golang.org/x/net

CVE-2025-58190 / GO-2026-4441

More information

Details

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

BIT-golang-2026-33814 / CVE-2026-33814 / GO-2026-4918

More information

Details

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Go Net HTML parser is vulnerable to denial of service

CVE-2026-25680 / GHSA-5cv4-jp36-h3mw / GO-2026-5028

More information

Details

In Go Net (golang.org/x/net) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

CVE-2026-42506 / GO-2026-5025

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

CVE-2026-39821 / GO-2026-5026

More information

Details

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

CVE-2026-42502 / GO-2026-5027

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

CVE-2026-25680 / GHSA-5cv4-jp36-h3mw / GO-2026-5028

More information

Details

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

CVE-2026-25681 / GO-2026-5029

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-27136 / GO-2026-5030

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Configuration

📅 Schedule: (in timezone America/Toronto)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Feb 17, 2026

Copy link
Copy Markdown
Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.4 -> 1.25.0
golang.org/x/crypto v0.39.0 -> v0.51.0
golang.org/x/sync v0.15.0 -> v0.20.0
golang.org/x/sys v0.33.0 -> v0.45.0
golang.org/x/term v0.32.0 -> v0.43.0
golang.org/x/text v0.26.0 -> v0.37.0

@renovate renovate Bot force-pushed the renovate/go-golang.org-x-net-vulnerability branch from f7e0cdf to e3f80e7 Compare May 8, 2026 12:11
@renovate renovate Bot changed the title Update module golang.org/x/net to v0.45.0 [SECURITY] Update module golang.org/x/net to v0.53.0 [SECURITY] May 8, 2026
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/go-golang.org-x-net-vulnerability branch from e3f80e7 to 9aed852 Compare May 24, 2026 07:58
@renovate renovate Bot changed the title Update module golang.org/x/net to v0.53.0 [SECURITY] Update module golang.org/x/net to v0.55.0 [SECURITY] May 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants