Update vulnerable dependencies [SECURITY] #1566
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pulumi-renovate
bot
added
dependencies
Contributor
Author
ℹ Artifact update noticeFile name: examples/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
![pulumi-renovate-approve[bot]](https://avatars.githubusercontent.com/u/21992475?s=60&v=4){kind=small}
Contributor
Does the PR have any schema changes?Looking good! No breaking changes found. Maintainer note: consult the runbook for dealing with any breaking changes. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1566 +/- ##
======================================
Coverage 0.00% 0.00%
======================================
Files 3 3
Lines 120 120
======================================
Misses 120 120 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
pulumi-renovate
bot
force-pushed
the
renovate/security
branch
from
a49af27 to
ad61ce3
Compare
pulumi-renovate
bot
changed the title
Contributor
Author
|
pulumi-renovate
bot
force-pushed
the
renovate/security
branch
3 times, most recently
from
1e087d3 to
0cb3dd5
Compare
pulumi-renovate
bot
force-pushed
the
renovate/security
branch
6 times, most recently
from
0c09c08 to
7a1ff55
Compare
pulumi-renovate
bot
force-pushed
the
renovate/security
branch
from
7a1ff55 to
5c2c99c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.3.7->v1.6.1v2.0.5->v2.0.7v5.11.0->v5.13.0v1.1.2->v1.2.4v0.39.0->v0.45.0v0.24.0->v0.45.0v0.33.0->v0.45.0v0.37.0->v0.45.0v0.26.0->v0.38.0v0.35.0->v0.38.0GitHub Vulnerability Alerts
CVE-2025-8556
Impact
The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.
Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.
Patches
Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.
We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.
CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
CVE-2025-8556 / GHSA-2x5j-vhc8-9cwm / GO-2025-3754
More information
Details
Impact
The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.
Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.
Patches
Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.
We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl
CVE-2025-8556 / GHSA-2x5j-vhc8-9cwm / GO-2025-3754
More information
Details
CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
CVE-2024-25621
Impact
An overly broad default permission vulnerability was found in containerd.
/var/lib/containerdwas created with the permission bits 0o711, while it should be created with 0o700/run/containerd/io.containerd.grpc.v1.criwas created with 0o755, while it should be created with 0o700/run/containerd/io.containerd.sandbox.controller.v1.shimwas created with 0o711, while it should be created with 0o700The directory paths may differ depending on the daemon configuration.
When the
tempdirectory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.
Note
/run/containerdand/run/containerd/io.containerd.runtime.v2.taskare still created with 0o711.This is an expected behavior for supporting userns-remapped containers.
Workarounds
The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:
An alternative mitigation would be to run containerd in rootless mode.
Credits
The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
CVE-2025-64329
Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g.,
kubectl attach) could increase the memory usage of containerd.Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Workarounds
Set up an admission controller to control accesses to
pods/attachresources.e.g., Validating Admission Policy.
Credits
The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd
CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108
More information
Details
containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd
CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100
More information
Details
containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
containerd CRI server: Host memory exhaustion through Attach goroutine leak
CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108
More information
Details
Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g.,
kubectl attach) could increase the memory usage of containerd.Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
Workarounds
Set up an admission controller to control accesses to
pods/attachresources.e.g., Validating Admission Policy.
Credits
The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
containerd affected by a local privilege escalation via wide permissions on CRI directory
CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100
More information
Details
Impact
An overly broad default permission vulnerability was found in containerd.
/var/lib/containerdwas created with the permission bits 0o711, while it should be created with 0o700/run/containerd/io.containerd.grpc.v1.criwas created with 0o755, while it should be created with 0o700/run/containerd/io.containerd.sandbox.controller.v1.shimwas created with 0o711, while it should be created with 0o700The directory paths may differ depending on the daemon configuration.
When the
tempdirectory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.Patches
This bug has been fixed in the following containerd versions:
Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.
Workarounds
The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:
An alternative mitigation would be to run containerd in rootless mode.
Credits
The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2025-21613
Impact
An argument injection vulnerability was discovered in
go-gitversions prior tov5.13.Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the
filetransport protocol is being used, as that is the only protocol that shells out togitbinaries.Affected versions
Users running versions of
go-gitfromv4and above are recommended to upgrade tov5.13in order to mitigate this vulnerability.Workarounds
In cases where a bump to the latest version of
go-gitis not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.Credit
Thanks to @vin01 for responsibly disclosing this vulnerability to us.
CVE-2025-21614
Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to
v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion ingo-gitclients.This is a
go-gitimplementation issue and does not affect the upstreamgitcli.Patches
Users running versions of
go-gitfromv4and above are recommended to upgrade tov5.13in order to mitigate this vulnerability.Workarounds
In cases where a bump to the latest version of
go-gitis not possible, we recommend limiting its use to only trust-worthy Git servers.Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
Argument Injection via the URL field in github.com/go-git/go-git
CVE-2025-21613 / GHSA-v725-9546-7q7m / GO-2025-3368
More information
Details
Argument Injection via the URL field in github.com/go-git/go-git
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git
CVE-2025-21614 / GHSA-r9px-m959-cxf4 / GO-2025-3367
More information
Details
Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
go-git clients vulnerable to DoS via maliciously crafted Git server replies
CVE-2025-21614 / GHSA-r9px-m959-cxf4 / GO-2025-3367
More information
Details
Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to
v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion ingo-gitclients.This is a
go-gitimplementation issue and does not affect the upstreamgitcli.Patches
Users running versions of
go-gitfromv4and above are recommended to upgrade tov5.13in order to mitigate this vulnerability.Workarounds
In cases where a bump to the latest version of
go-gitis not possible, we recommend limiting its use to only trust-worthy Git servers.Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
go-git has an Argument Injection via the URL field
CVE-2025-21613 / GHSA-v725-9546-7q7m / GO-2025-3368
More information
Details
Impact
An argument injection vulnerability was discovered in
go-gitversions prior tov5.13.Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the
filetransport protocol is being used, as that is the only protocol that shells out togitbinaries.Affected versions
Users running versions of
go-gitfromv4and above are recommended to upgrade tov5.13in order to mitigate this vulnerability.Workarounds
In cases where a bump to the latest version of
go-gitis not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.Credit
Thanks to @vin01 for responsibly disclosing this vulnerability to us.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2024-45339
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
Insecure Temporary File usage in github.com/golang/glog
CVE-2024-45339 / GHSA-6wxm-mpqj-6jpf / GO-2025-3372
More information
Details
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Vulnerability when creating log files in github.com/golang/glog
CVE-2024-45339 / GHSA-6wxm-mpqj-6jpf / GO-2025-3372
More information
Details
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
CVE-2025-58181
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-47914
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Potential denial of service in golang.org/x/crypto/ssh/agent
CVE-2025-47913 / GO-2025-4116
More information
Details
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134
More information
Details
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135
More information
Details
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135
More information
Details
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Unbounded memory consumption in golang.org/x/crypto/ssh
CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134
More information
Details
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
CVE-2024-45337
Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.
Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
CVE-2025-22869
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto
CVE-2024-45337 / GHSA-v778-237x-gjrc / GO-2024-3321
More information
Details
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.
Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto
CVE-2024-45337 / GHSA-v778-237x-gjrc / GO-2024-3321
More information
Details
Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.
Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange
CVE-2025-22869 / GHSA-hcg3-q754-cr77 / GO-2025-3487
More information
Details
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Potential denial of service in golang.org/x/crypto
CVE-2025-22869 / GHSA-hcg3-q754-cr77 / GO-2025-3487
More information
Details
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22872
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Non-linear parsing of case-insensitive content in golang.org/x/net/html
CVE-2024-45338 / GHSA-w32m-9786-jp63 / GO-2024-3333
More information
Details
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503
More information
Details
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503
More information
Details
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
golang.org/x/net vulnerable to Cross-site Scripting
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
cloudflare/circl (github.com/cloudflare/circl)
v1.6.1: CIRCL v1.6.1Compare Source
CIRCL v1.6.1
What's Changed
Full Changelog: cloudflare/circl@v1.6.0...v1.6.1
v1.6.0: CIRCL v1.6.0Compare Source
CIRCL v1.6.0
New!
What's Changed
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.