Skip to content
This repository was archived by the owner on Nov 19, 2025. It is now read-only.

chore(deps): update module golang.org/x/net to v0.38.0 [security]#62

Closed
NumaryBot wants to merge 1 commit intomainfrom
renovate/go-golang.org-x-net-vulnerability
Closed

chore(deps): update module golang.org/x/net to v0.38.0 [security]#62
NumaryBot wants to merge 1 commit intomainfrom
renovate/go-golang.org-x-net-vulnerability

Conversation

@NumaryBot
Copy link
Contributor

@NumaryBot NumaryBot commented Sep 9, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
golang.org/x/net indirect minor v0.34.0 -> v0.38.0

GitHub Vulnerability Alerts

CVE-2025-22870

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

CVE-2025-22872

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@NumaryBot NumaryBot enabled auto-merge (squash) September 9, 2025 10:51
@NumaryBot
Copy link
Contributor Author

NumaryBot commented Sep 9, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 3 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.32.0 -> v0.36.0
golang.org/x/sys v0.29.0 -> v0.31.0
golang.org/x/text v0.21.0 -> v0.23.0

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 9, 2025

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)
  • go.mod is excluded by !**/*.mod
  • go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/go-golang.org-x-net-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

flemzord
flemzord approved these changes Sep 9, 2025
View reviewed changes
Copy link
Member

@flemzord flemzord left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NumaryBot NumaryBot force-pushed the renovate/go-golang.org-x-net-vulnerability branch from 76af743 to 4e9e158 Compare September 9, 2025 12:56
@NumaryBot NumaryBot removed the security label Sep 9, 2025
@flemzord flemzord closed this Sep 9, 2025
auto-merge was automatically disabled September 9, 2025 13:40

Pull request was closed

@NumaryBot
Copy link
Contributor Author

NumaryBot commented Sep 9, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v0.38.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@NumaryBot NumaryBot deleted the renovate/go-golang.org-x-net-vulnerability branch September 9, 2025 13:42
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@flemzord flemzord flemzord approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NumaryBot @flemzord