Skip to content

[release-v0.42.x] Security: Fix CVE-2026-25681, CVE-2026-27136 - upgrade golang.org/x/net to v0.55.0#3005

Open
divyansh42 wants to merge 1 commit into
release-v0.42.xfrom
fix/SRVKP-12670-cve-2026-25681-golang.org-x-net-release-v0.42.x-attempt-1
Open

[release-v0.42.x] Security: Fix CVE-2026-25681, CVE-2026-27136 - upgrade golang.org/x/net to v0.55.0#3005
divyansh42 wants to merge 1 commit into
release-v0.42.xfrom
fix/SRVKP-12670-cve-2026-25681-golang.org-x-net-release-v0.42.x-attempt-1

Conversation

@divyansh42

Copy link
Copy Markdown
Member

Summary

This PR fixes CVE-2026-25681 and CVE-2026-27136 by upgrading golang.org/x/net from v0.49.0 to v0.55.0.

CVE Details

  • CVE-2026-25681 (GO-2026-5029): XSS via golang.org/x/net/html — Arbitrary code execution via Cross-Site Scripting; fixed in v0.55.0. Jira: SRVKP-12670
  • CVE-2026-27136 (GO-2026-5030): XSS via golang.org/x/net/html — Cross-Site Scripting via HTML parsing bypass; fixed in v0.55.0. Jira: SRVKP-12687

Changes

  • Upgraded golang.org/x/net v0.49.0 → v0.55.0
  • Transitive: x/crypto v0.47.0→v0.51.0, x/sys, x/text, x/tools, x/sync, x/mod, x/term

Test Results

Status: All 41 unit test packages passed

Jira References

SRVKP-12670, SRVKP-12687

Risk Assessment

Low — indirect dependency upgrade; no breaking API changes; all unit tests pass.


🤖 Generated by CVE Fixer Workflow

Security fix: upgrade golang.org/x/net from v0.49.0 to v0.55.0 to address CVE-2026-25681 and CVE-2026-27136

- Upgrade golang.org/x/net from v0.49.0 to v0.55.0
- Addresses XSS vulnerabilities in golang.org/x/net/html (html parsing bypass)
- Transitive upgrades: x/crypto v0.47.0→v0.51.0, x/sys, x/text, x/tools
- All 41 unit test packages pass

Jira: SRVKP-12670, SRVKP-12687

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 7, 2026
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 7, 2026
@pratap0007

Copy link
Copy Markdown
Contributor

/retest

@pratap0007

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pratap0007
To complete the pull request process, please assign pradeepitm12 after the PR has been reviewed.
You can assign the PR to them by writing /assign @pradeepitm12 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@divyansh42 divyansh42 changed the title Security: Fix CVE-2026-25681, CVE-2026-27136 - upgrade golang.org/x/net to v0.55.0 (SRVKP-12670, SRVKP-12687) Security: Fix CVE-2026-25681, CVE-2026-27136 - upgrade golang.org/x/net to v0.55.0 Jul 8, 2026
@divyansh42 divyansh42 changed the title Security: Fix CVE-2026-25681, CVE-2026-27136 - upgrade golang.org/x/net to v0.55.0 [release-v0.42.x] Security: Fix CVE-2026-25681, CVE-2026-27136 - upgrade golang.org/x/net to v0.55.0 Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants