Skip to content

fix: upgrade golang.org/x/net to v0.55.0 (5 CVEs) (backport 2.33)#25774

Merged
Shelnutt2 merged 1 commit into
release/2.33from
upgrade-xnet-v0.55.0-release-2.33
Jun 4, 2026
Merged

fix: upgrade golang.org/x/net to v0.55.0 (5 CVEs) (backport 2.33)#25774
Shelnutt2 merged 1 commit into
release/2.33from
upgrade-xnet-v0.55.0-release-2.33

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented May 28, 2026

Upgrades golang.org/x/net from v0.53.0 to v0.55.0 on the release/2.33 branch to resolve five x/net/html CVEs discovered in the IronBank scan.

CVEs resolved

CVE Severity Description
CVE-2026-25680 Low DoS via cubic complexity algorithm in HTML tree construction
CVE-2026-25681 Low Incorrect handling of character references in DOCTYPE nodes (XSS)
CVE-2026-27136 Low Incorrect handling of namespaced elements in foreign content (XSS)
CVE-2026-42502 Low Incorrect handling of HTML elements in foreign content (XSS)
CVE-2026-42506 Low Failure to reject ASCII-only Punycode-encoded labels (privilege escalation)

Changes

  • golang.org/x/net v0.53.0 -> v0.55.0
  • golang.org/x/crypto v0.50.0 -> v0.51.0
  • golang.org/x/sys v0.43.0 -> v0.45.0
  • golang.org/x/term v0.42.0 -> v0.43.0
  • golang.org/x/text v0.36.0 -> v0.37.0

Refs ENT-97

Note

Generated by Coder Agents on behalf of @Shelnutt2

@Shelnutt2
fix(deps): upgrade golang.org/x/net to v0.55.0 (5 CVEs)
8f91ba6 
Upgrades golang.org/x/net from v0.53.0 to v0.55.0 on the release/2.33
branch to resolve five x/net/html CVEs discovered in the IronBank scan:

- CVE-2026-25680: DoS via cubic complexity in HTML tree construction
- CVE-2026-25681: Incorrect handling of character references in DOCTYPE
- CVE-2026-27136: Incorrect handling of namespaced elements in foreign content
- CVE-2026-42502: Incorrect handling of HTML elements in foreign content
- CVE-2026-42506: Failure to reject ASCII-only Punycode-encoded labels

Companion x/ dependency bumps:
- golang.org/x/crypto v0.50.0 -> v0.51.0
- golang.org/x/sys v0.43.0 -> v0.45.0
- golang.org/x/term v0.42.0 -> v0.43.0
- golang.org/x/text v0.36.0 -> v0.37.0

Refs ENT-97
@Shelnutt2 Shelnutt2 changed the title fix(deps): upgrade golang.org/x/net to v0.55.0 (5 CVEs) (backport 2.33) fix: upgrade golang.org/x/net to v0.55.0 (5 CVEs) (backport 2.33) May 28, 2026
@Shelnutt2 Shelnutt2 requested a review from f0ssel May 28, 2026 10:15
@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick/v2.33 labels May 28, 2026
@Shelnutt2 Shelnutt2 merged commit 921d037 into release/2.33 Jun 4, 2026
41 of 42 checks passed
@Shelnutt2 Shelnutt2 deleted the upgrade-xnet-v0.55.0-release-2.33 branch June 4, 2026 15:10
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 4, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

@f0ssel f0ssel Awaiting requested review from f0ssel

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.33 dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @Emyrk