Skip to content

chore(deps): update module golang.org/x/net to v0.45.0 [security] (release-v0.1)#385

Open
redhat-renovate-bot wants to merge 1 commit intorelease-v0.1from
renovate/release-v0.1-go-golang.org-x-net-vulnerability
Open

chore(deps): update module golang.org/x/net to v0.45.0 [security] (release-v0.1)#385
redhat-renovate-bot wants to merge 1 commit intorelease-v0.1from
renovate/release-v0.1-go-golang.org-x-net-vulnerability

Conversation

@redhat-renovate-bot
Copy link
Collaborator

@redhat-renovate-bot redhat-renovate-bot commented Feb 7, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
golang.org/x/net require minor v0.33.0 -> v0.45.0

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Quadratic parsing complexity in golang.org/x/net/html

CVE-2025-47911 / GO-2026-4440

More information

Details

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Infinite parsing loop in golang.org/x/net

CVE-2025-58190 / GO-2026-4441

More information

Details

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@redhat-renovate-bot
chore(deps): update module golang.org/x/net to v0.45.0 [security]
d714123 
Signed-off-by: redhat-renovate-bot <redhat-internal-renovate@redhat.com>
@redhat-renovate-bot redhat-renovate-bot added the release-note-none Denotes a PR that doesn't merit a release note. label Feb 7, 2026
@redhat-renovate-bot
Copy link
Collaborator Author

redhat-renovate-bot commented Feb 7, 2026

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 3 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.19 -> 1.24.0
golang.org/x/sys v0.29.0 -> v0.36.0
golang.org/x/term v0.28.0 -> v0.35.0
golang.org/x/text v0.21.0 -> v0.29.0

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Feb 7, 2026
@kubevirt-bot
Copy link
Contributor

kubevirt-bot commented Feb 7, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign akrejcir for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Feb 7, 2026

@redhat-renovate-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/unittests d714123 link true /test unittests
ci/prow/images d714123 link true /test images
ci/prow/e2e-functests d714123 link true /test e2e-functests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akrejcir akrejcir Awaiting requested review from akrejcir

@ksimon1 ksimon1 Awaiting requested review from ksimon1

Assignees

No one assigned

Labels

dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note-none Denotes a PR that doesn't merit a release note. size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@redhat-renovate-bot @kubevirt-bot