chore(deps): update module golang.org/x/net to v0.38.0 [security] #256

Open

renovate-bot wants to merge 1 commit from renovate/go-golang.org-x-net-vulnerability into master

pull from: renovate/go-golang.org-x-net-vulnerability

merge into: nemunaire:master

nemunaire:master

nemunaire:renovate/eslint-plugin-svelte-3.x-lockfile

nemunaire:renovate/sass-1.x-lockfile

nemunaire:renovate/typescript-eslint-monorepo

nemunaire:renovate/sveltejs-vite-plugin-svelte-5.x-lockfile

nemunaire:renovate/svelte-5.x-lockfile

nemunaire:renovate/go-1.x

nemunaire:renovate/sveltejs-kit-2.x-lockfile

nemunaire:renovate/alpine-3.x

nemunaire:web

nemunaire:legacy

nemunaire:http

Conversation 1 Commits 1 Files changed 2 +12 -12

renovate-bot commented 2025-05-22 08:13:30 +00:00

Collaborator

Copy link

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
golang.org/x/net	v0.25.0 -> v0.38.0

---

Non-linear parsing of case-insensitive content in golang.org/x/net/html

CVE-2024-45338 / GHSA-w32m-9786-jp63 / GO-2024-3333

More information

Details

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Severity

Unknown

References

• https://go.dev/cl/637536
• https://go.dev/issue/70906
• https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

• https://go.dev/cl/654697
• https://go.dev/issue/71984

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22870
• https://go-review.googlesource.com/q/project:net
• https://go.dev/cl/654697
• https://go.dev/issue/71984
• https://pkg.go.dev/vuln/GO-2025-3503
• https://security.netapp.com/advisory/ntap-20250509-0007
• http://www.openwall.com/lists/oss-security/2025/03/07/2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. ,

Severity

Unknown

References

• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. ,

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22872
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
• https://pkg.go.dev/vuln/GO-2025-3595
• https://security.netapp.com/advisory/ntap-20250516-0007

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | golang.org/x/net | `v0.25.0` -> `v0.38.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Non-linear parsing of case-insensitive content in golang.org/x/net/html [CVE-2024-45338](https://nvd.nist.gov/vuln/detail/CVE-2024-45338) / [GHSA-w32m-9786-jp63](https://github.com/advisories/GHSA-w32m-9786-jp63) / [GO-2024-3333](https://pkg.go.dev/vuln/GO-2024-3333) <details> <summary>More information</summary> #### Details An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. #### Severity Unknown #### References - [https://go.dev/cl/637536](https://go.dev/cl/637536) - [https://go.dev/issue/70906](https://go.dev/issue/70906) - [https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ](https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-3333) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) <details> <summary>More information</summary> #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity Unknown #### References - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3503) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) <details> <summary>More information</summary> #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) - [https://go-review.googlesource.com/q/project:net](https://go-review.googlesource.com/q/project:net) - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) - [https://pkg.go.dev/vuln/GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) - [https://security.netapp.com/advisory/ntap-20250509-0007](https://security.netapp.com/advisory/ntap-20250509-0007) - [http://www.openwall.com/lists/oss-security/2025/03/07/2](http://www.openwall.com/lists/oss-security/2025/03/07/2) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qxp5-gwg8-xv66) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [CVE-2025-22872](https://nvd.nist.gov/vuln/detail/CVE-2025-22872) / [GHSA-vvgc-356p-c3xw](https://github.com/advisories/GHSA-vvgc-356p-c3xw) / [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) <details> <summary>More information</summary> #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). #### Severity Unknown #### References - [https://go.dev/cl/662715](https://go.dev/cl/662715) - [https://go.dev/issue/73070](https://go.dev/issue/73070) - [https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA](https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3595) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### golang.org/x/net vulnerable to Cross-site Scripting [CVE-2025-22872](https://nvd.nist.gov/vuln/detail/CVE-2025-22872) / [GHSA-vvgc-356p-c3xw](https://github.com/advisories/GHSA-vvgc-356p-c3xw) / [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) <details> <summary>More information</summary> #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-22872](https://nvd.nist.gov/vuln/detail/CVE-2025-22872) - [https://go.dev/cl/662715](https://go.dev/cl/662715) - [https://go.dev/issue/73070](https://go.dev/issue/73070) - [https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA](https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA) - [https://pkg.go.dev/vuln/GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) - [https://security.netapp.com/advisory/ntap-20250516-0007](https://security.netapp.com/advisory/ntap-20250516-0007) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-vvgc-356p-c3xw) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4xNC42IiwidXBkYXRlZEluVmVyIjoiNDAuNDguNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->

renovate-bot added 1 commit 2025-05-22 08:13:32 +00:00

chore(deps): update module golang.org/x/net to v0.38.0 [security] d3fd3b47cf

renovate-bot commented 2025-05-22 08:13:33 +00:00

Author

Collaborator

Copy link

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
golang.org/x/crypto	v0.35.0 -> v0.36.0
golang.org/x/sys	v0.30.0 -> v0.31.0
golang.org/x/text	v0.22.0 -> v0.23.0

### ℹ Artifact update notice ##### File name: go.mod In order to perform the update(s) described in the table above, Renovate ran the `go get` command, which resulted in the following additional change(s): - 3 additional dependencies were updated Details: | **Package** | **Change** | | :-------------------- | :--------------------- | | `golang.org/x/crypto` | `v0.35.0` -> `v0.36.0` | | `golang.org/x/sys` | `v0.30.0` -> `v0.31.0` | | `golang.org/x/text` | `v0.22.0` -> `v0.23.0` |

renovate-bot force-pushed renovate/go-golang.org-x-net-vulnerability from d3fd3b47cf to 4c4f459ab2 2025-05-22 08:20:52 +00:00 Compare

renovate-bot force-pushed renovate/go-golang.org-x-net-vulnerability from 4c4f459ab2 to 2bedee9701 2025-05-22 11:17:54 +00:00 Compare

renovate-bot force-pushed renovate/go-golang.org-x-net-vulnerability from 2bedee9701 to c96e775606 2025-05-22 14:14:54 +00:00 Compare

All checks were successful

Hide all checks

continuous-integration/drone/push Build is passing

Details

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/go-golang.org-x-net-vulnerability:renovate/go-golang.org-x-net-vulnerability

git checkout renovate/go-golang.org-x-net-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout master

git merge --no-ff renovate/go-golang.org-x-net-vulnerability

git checkout renovate/go-golang.org-x-net-vulnerability

git rebase master

git checkout master

git merge --ff-only renovate/go-golang.org-x-net-vulnerability

git checkout renovate/go-golang.org-x-net-vulnerability

git rebase master

git checkout master

git merge --no-ff renovate/go-golang.org-x-net-vulnerability

git checkout master

git merge --squash renovate/go-golang.org-x-net-vulnerability

git checkout master

git merge --ff-only renovate/go-golang.org-x-net-vulnerability

git checkout master

git merge renovate/go-golang.org-x-net-vulnerability

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: nemunaire/reveil#256

No description provided.