Skip to content

fix(cve): bump Go stdlib to 1.25.11 and golang.org/x/net to v0.55.0#2911

Open
divyansh42 wants to merge 1 commit into
mainfrom
fix/go-stdlib-1.25.11-xnet-0.55.0-main-attempt-1
Open

fix(cve): bump Go stdlib to 1.25.11 and golang.org/x/net to v0.55.0#2911
divyansh42 wants to merge 1 commit into
mainfrom
fix/go-stdlib-1.25.11-xnet-0.55.0-main-attempt-1

Conversation

@divyansh42

@divyansh42 divyansh42 commented Jun 20, 2026

Copy link
Copy Markdown
Member

CVE Fix Summary

This PR bumps the Go stdlib directive from 1.25.8 → 1.25.11 and golang.org/x/net from v0.54.0 → v0.55.0 to remediate multiple confirmed vulnerabilities.

CVE Details

Go Standard Library — fixed in go1.25.11

ID Package Severity Description
GO-2026-5039 net/textproto Medium Arbitrary inputs included in errors without escaping
GO-2026-5038 mime Medium Quadratic complexity in WordDecoder.DecodeHeader
GO-2026-5037 crypto/x509 Medium Inefficient candidate hostname parsing
GO-2026-4986 net/mail Medium Quadratic string concatenation in consumeComment
GO-2026-4982 html/template High Bypass of meta content URL escaping causes XSS
GO-2026-4981 net Medium Crash when handling long CNAME response
GO-2026-4980 html/template High Escaper bypass leads to XSS
GO-2026-4977 net/mail Medium Quadratic string concatenation in consumePhrase
GO-2026-4976 net/http/httputil Medium ReverseProxy forwards excess query parameters
GO-2026-4971 net Low Panic on NUL byte in Dial/LookupPort on Windows
GO-2026-4947 crypto/x509 Medium Unexpected work during chain building
GO-2026-4946 crypto/x509 Medium Inefficient policy validation
GO-2026-4870 crypto/tls High Unauthenticated TLS 1.3 KeyUpdate causes DoS
GO-2026-4869 archive/tar Medium Unbounded allocation for old GNU sparse
GO-2026-4865 html/template High JsBraceDepth context tracking XSS
GO-2026-4864 internal/syscall/unix Medium TOCTOU root escape on Linux via Root.Chmod
GO-2026-4918 net/http High HTTP/2 infinite loop on bad SETTINGS_MAX_FRAME_SIZE

golang.org/x/net — fixed in v0.55.0

ID Package Severity Description
GO-2026-5026 golang.org/x/net/idna Medium ASCII-only Punycode label bypass in IDNA validation
GO-2026-4918 golang.org/x/net/http2 High Infinite loop via bad SETTINGS_MAX_FRAME_SIZE

Fix Summary

  • Bumped go directive in go.mod: 1.25.81.25.11
  • Bumped golang.org/x/net: v0.54.0v0.55.0
  • Ran go mod tidy && go mod verify && go mod vendor

Test Results

All unit tests passed (go test -mod=vendor ./pkg/...)

ok  github.com/tektoncd/cli/pkg/export
ok  github.com/tektoncd/cli/pkg/file
ok  github.com/tektoncd/cli/pkg/flags
ok  github.com/tektoncd/cli/pkg/formatted
ok  github.com/tektoncd/cli/pkg/labels
ok  github.com/tektoncd/cli/pkg/options
ok  github.com/tektoncd/cli/pkg/params
ok  github.com/tektoncd/cli/pkg/pipeline
ok  github.com/tektoncd/cli/pkg/pipelinerun
ok  github.com/tektoncd/cli/pkg/pods
ok  github.com/tektoncd/cli/pkg/suggestion
ok  github.com/tektoncd/cli/pkg/task
ok  github.com/tektoncd/cli/pkg/taskrun
ok  github.com/tektoncd/cli/pkg/trustedresources
ok  github.com/tektoncd/cli/pkg/version
ok  github.com/tektoncd/cli/pkg/workspaces

Breaking Changes

None. Both changes are patch/minor bumps with no API changes.

Risk Assessment

Low — stdlib and x/net version bumps are standard security patches. Go promises backward compatibility within the same minor version series. All unit tests pass.

Verification Steps

  • Verify go version go1.25.11 in local environment matches CI
  • Review test results in CI
  • Scan with govulncheck -scan=package ./... to confirm remediation

Jira References

No active Jira CVE tickets for Tekton CLI were found at time of fix. Vulnerabilities discovered via govulncheck direct scan.

Component: Tekton CLI
Lead: Divyanshu Agrawal (diagrawa@redhat.com)

@divyansh42
fix(cve): bump Go stdlib to 1.25.11 and golang.org/x/net to v0.55.0
d82e6f6 
- Update go directive from 1.25.8 to 1.25.11 to resolve 12 stdlib CVEs:
  GO-2026-5039 (net/textproto unescaped errors)
  GO-2026-5038 (mime quadratic complexity)
  GO-2026-5037 (crypto/x509 inefficient hostname parsing)
  GO-2026-4986/4977 (net/mail quadratic string concatenation)
  GO-2026-4982/4980 (html/template XSS via escaper bypass)
  GO-2026-4981/4971 (net crash on long CNAME / NUL byte)
  GO-2026-4976 (net/http/httputil ReverseProxy query param forwarding)
  GO-2026-4947/4946 (crypto/x509 unexpected work / inefficient policy)
  GO-2026-4870 (crypto/tls unauthenticated KeyUpdate DoS)
  GO-2026-4869 (archive/tar unbounded allocation)
  GO-2026-4865/4864 (html/template XSS / TOCTOU root escape)
  GO-2026-4918 (net/http HTTP/2 infinite loop)
- Update golang.org/x/net from v0.54.0 to v0.55.0 to resolve:
  GO-2026-5026 (idna: ASCII-only Punycode label bypass)
  GO-2026-4918 (HTTP/2 infinite loop on bad SETTINGS_MAX_FRAME_SIZE)
- Run go mod tidy, go mod verify, go mod vendor

All unit tests pass.

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot

tekton-robot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

@divyansh42: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 20, 2026
@tekton-robot tekton-robot requested a review from pratap0007 June 20, 2026 09:17
@tekton-robot

tekton-robot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from divyansh42 after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12

@pratap0007 pratap0007 Awaiting requested review from pratap0007

Assignees

No one assigned

Labels

do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot