Skip to content

fix: bump goldmark to v1.7.17 to fix XSS (CVE-2026-5160)#25216

Merged
Shelnutt2 merged 1 commit into
release/2.31from
release/2.31_goldmark_bump
May 13, 2026
Merged

fix: bump goldmark to v1.7.17 to fix XSS (CVE-2026-5160)#25216
Shelnutt2 merged 1 commit into
release/2.31from
release/2.31_goldmark_bump

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented May 12, 2026

Bump github.com/yuin/goldmark from v1.7.16 to v1.7.17 to fix CVE-2026-5160.

goldmark v1.7.16 is vulnerable to XSS due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities, allowing an attacker to bypass validation with entity-encoded javascript: URIs.

This is the minimal fix for the IronBank finding on the coder/coder-enterprise/coder-service-2:2.31.11 image. The fix is already on main (v1.8.2 via Hugo bump in #23957); this targets the v2.31.x release branch with only the goldmark dependency change.

Closes ENT-8

Generated by Coder Agents

@Shelnutt2
fix(go.mod): bump goldmark to v1.7.17 to fix XSS (CVE-2026-5160)
fa34f5d 
goldmark v1.7.16 is vulnerable to XSS due to improper ordering of URL
validation and normalization. The renderer validates link destinations
using a prefix-based check before resolving HTML entities, allowing
bypass with entity-encoded javascript: URIs.

Bump to v1.7.17 which fixes the vulnerability.
@Shelnutt2 Shelnutt2 added cherry-pick/v2.31 Needs to be cherry-picked to the 2.31 release branch dependencies Pull requests that update a dependency file labels May 12, 2026
@Shelnutt2 Shelnutt2 changed the title fix(go.mod): bump goldmark to v1.7.17 to fix XSS (CVE-2026-5160) fix: bump goldmark to v1.7.17 to fix XSS (CVE-2026-5160) May 12, 2026
@Shelnutt2 Shelnutt2 merged commit cd6eb46 into release/2.31 May 13, 2026
66 of 70 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators May 13, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@f0ssel f0ssel f0ssel approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.31 Needs to be cherry-picked to the 2.31 release branch dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel