Skip to content

fix: bump extras/dagger golang.org/x/net to v0.53.0#3252

Open
chainloop-platform[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-go-2026-4918-golang-org-x-net-20260629-215035
Open

fix: bump extras/dagger golang.org/x/net to v0.53.0#3252
chainloop-platform[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-go-2026-4918-golang-org-x-net-20260629-215035

Conversation

@chainloop-platform

@chainloop-platform chainloop-platform Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Updated the optional extras/dagger module to use the first golang.org/x/net release that fixes GO-2026-4918, and raised that module's Go directive so the patched dependency can resolve cleanly.

Vulnerability Fixed

GO-2026-4918-golang.org/x/net (HIGH): when processing HTTP/2 SETTINGS frames, the transport can loop indefinitely writing CONTINUATION frames after receiving SETTINGS_MAX_FRAME_SIZE=0, causing client-side denial of service.

Changes Made

  • Bumped golang.org/x/net in extras/dagger/go.mod from v0.44.0 to v0.53.0, the first fixed release for this advisory.
  • Raised the extras/dagger module go directive from 1.24.0 to 1.25.0 because golang.org/x/net v0.53.0 declares go 1.25.0.
  • Refreshed extras/dagger/go.sum with the v0.53.0 checksums.

Verification

Ran syft dir:. -o cyclonedx-json=/tmp/chainloop-sbom.json and grype sbom:/tmp/chainloop-sbom.json --only-fixed -o json against the patched repository. Classification: resolved. A targeted follow-up check confirmed GO-2026-4918-golang.org/x/net is no longer reported. Caveat: the scan still reports other unrelated fixed advisories in extras/dagger, including newer golang.org/x/net issues fixed after v0.53.0.

Risk Assessment

View the risk assessment in Chainloop

Review in cubic

@kusari-inspector

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code analysis found zero issues in the modified files (extras/dagger/go.mod and extras/dagger/go.sum), the dependency analysis identified a critical concern that we strongly recommend addressing before merging. The PR updates golang.org/x/net from v0.44.0 to v0.53.0 to resolve CVE-2026-33814, but v0.53.0 still carries 6 active vulnerabilities: three XSS vulnerabilities (CVE-2026-25681, CVE-2026-27136, CVE-2026-42506, CVE-2026-42502) in HTML parsing and rendering, a DoS vulnerability via excessive CPU usage during HTML parsing (CVE-2026-25680), and a privilege escalation issue in the idna package via failure to reject ASCII-only Punycode-encoded labels (CVE-2026-39821). These vulnerabilities present meaningful risk, particularly the XSS and privilege escalation issues which could have direct business impact if exploited. The fix is straightforward: update golang.org/x/net to v0.56.0 instead of v0.53.0, which fully resolves all known active advisories. Action item: run 'go get golang.org/x/net@v0.56.0' in the extras/dagger directory and update the go.sum accordingly before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • golang.org/x/net is being updated to v0.53.0, but this version still contains 6 active advisories:
  • CVE-2026-25680 (GO-2026-5028): DoS via excessive CPU when parsing arbitrary HTML
  • CVE-2026-25681 (GO-2026-5029): XSS via incorrect handling of character references in DOCTYPE nodes
  • CVE-2026-27136 (GO-2026-5030): XSS via duplicate attributes during HTML rendering
  • CVE-2026-42506 (GO-2026-5025): XSS via incorrect handling of namespaced elements in foreign content
  • CVE-2026-42502 (GO-2026-5027): XSS via incorrect handling of HTML elements in foreign content
  • CVE-2026-39821 (GO-2026-5026): Privilege escalation via failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Dependency path: golang.org/x/net (direct dependency)

The vulnerabilityFixReport identifies v0.56.0 as the version that resolves all active vulnerabilities. Update to v0.56.0 instead of v0.53.0:
go get golang.org/x/net@v0.56.0

This is a direct dependency update so the fix is straightforward.


@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 0494bdd, performed at: 2026-06-29T21:51:10Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants