Skip to content

fix: upgrade golang.org/x/net to v0.55.0 (5 html CVEs)#25772

Merged
f0ssel merged 1 commit into
release/2.32from
seth/upgrade-xnet-v0.55.0-2.32
May 30, 2026
Merged

fix: upgrade golang.org/x/net to v0.55.0 (5 html CVEs)#25772
f0ssel merged 1 commit into
release/2.32from
seth/upgrade-xnet-v0.55.0-2.32

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented May 28, 2026

Upgrades golang.org/x/net from v0.53.0 to v0.55.0 on release/2.32 to address 5 CVEs in x/net/html:

CVE Severity Description
CVE-2026-25680 Low DoS via cubic complexity in HTML tree construction
CVE-2026-25681 Low Incorrect handling of character references in DOCTYPE (XSS)
CVE-2026-27136 Low Incorrect handling of namespaced elements in foreign content (XSS)
CVE-2026-42502 Low Incorrect handling of HTML elements in foreign content (XSS)
CVE-2026-42506 Low Failure to reject ASCII-only Punycode-encoded labels (privilege escalation)

Transitive dependency bumps:

  • golang.org/x/crypto v0.50.0 -> v0.51.0
  • golang.org/x/sys v0.43.0 -> v0.45.0
  • golang.org/x/term v0.42.0 -> v0.43.0
  • golang.org/x/text v0.36.0 -> v0.37.0

Fixes ENT-92
Supersedes ENT-28

Generated with Coder Agents by @Shelnutt2

@Shelnutt2 Shelnutt2 changed the title fix(deps): upgrade golang.org/x/net to v0.55.0 (5 html CVEs) fix: upgrade golang.org/x/net to v0.55.0 (5 html CVEs) May 28, 2026
@Shelnutt2 Shelnutt2 requested a review from f0ssel May 28, 2026 10:15
@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick/v2.32 labels May 28, 2026
@Shelnutt2 @f0ssel
fix(deps): upgrade golang.org/x/net to v0.55.0 (5 html CVEs)
2d2fc24 
Upgrades golang.org/x/net from v0.53.0 to v0.55.0 on release/2.32
to address 5 CVEs in x/net/html:
- CVE-2026-25680: DoS via cubic complexity in HTML tree construction
- CVE-2026-25681: Incorrect handling of character references in DOCTYPE (XSS)
- CVE-2026-27136: Incorrect handling of namespaced elements in foreign content (XSS)
- CVE-2026-42502: Incorrect handling of HTML elements in foreign content (XSS)
- CVE-2026-42506: Failure to reject ASCII-only Punycode-encoded labels (privilege escalation)

Transitive dependency bumps:
- golang.org/x/crypto v0.50.0 -> v0.51.0
- golang.org/x/sys v0.43.0 -> v0.45.0
- golang.org/x/term v0.42.0 -> v0.43.0
- golang.org/x/text v0.36.0 -> v0.37.0

Fixes: ENT-92
@f0ssel f0ssel force-pushed the seth/upgrade-xnet-v0.55.0-2.32 branch from 3a9d2d2 to 2d2fc24 Compare May 30, 2026 19:20
@f0ssel
Copy link
Copy Markdown
Member

f0ssel commented May 30, 2026

Pushed to fix merge conflicts

@f0ssel f0ssel merged commit 443bc1a into release/2.32 May 30, 2026
25 of 26 checks passed
@f0ssel f0ssel deleted the seth/upgrade-xnet-v0.55.0-2.32 branch May 30, 2026 19:34
@github-actions github-actions Bot locked and limited conversation to collaborators May 30, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@f0ssel f0ssel f0ssel approved these changes

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.32 dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel