Bump the other-go-modules group across 1 directory with 2 updates#76
Bump the other-go-modules group across 1 directory with 2 updates#76dependabot[bot] wants to merge 1 commit into
Conversation
Walkthrough
ChangesDependency Version Bumps
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 16✅ Passed checks (16 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dependabot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Around line 78-86: Update the golang.org/x/net module from v0.53.0 to v0.55.0
or later to address CVEs GO-2026-5025 and GO-2026-5030 in HTML parsing. Update
the golang.org/x/sys module from v0.43.0 to v0.45.0 or later to address CVE
GO-2026-5024 in Windows NTLM string conversion (note that v0.44.0 is
insufficient, use v0.45.0 or later). Additionally, inspect the
github.com/google/pprof dependency to replace its pseudo-version pin with a
released version to comply with supply chain security guidelines.
- Around line 78-86: Update the golang.org/x/net dependency from v0.53.0 to
v0.55.0 or later and the golang.org/x/sys dependency from v0.43.0 to v0.44.0 or
later in the go.mod file to address the identified CVEs. After making these
version changes, run the pre-commit checks by executing make generate, make
manifests, go mod tidy, go mod vendor, and hack/align-ocp-version.sh to ensure
compatibility and stage any resulting changes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: 31f5b42f-9cc4-4468-ba88-33d917dc7622
⛔ Files ignored due to path filters (94)
go.sumis excluded by!**/*.sumvendor/github.com/onsi/ginkgo/v2/.gitignoreis excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/CHANGELOG.mdis excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/README.mdis excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/core_dsl.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/ginkgo/main.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/helpergo_dsl.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/internal/global/init.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/internal/suite.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/types/config.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/types/errors.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/types/flags.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/ginkgo/v2/types/version.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/gomega/CHANGELOG.mdis excluded by!vendor/**,!**/vendor/**vendor/github.com/onsi/gomega/gomega_dsl.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/html/iter.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/html/node.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/html/nodetype_string.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/client_priority_go126.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/client_priority_go127.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/frame.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/hpack/tables.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/http2.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/server.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/transport.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/writesched.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/writesched_priority_rfc7540.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/http2/writesched_random.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/net/internal/httpsfv/httpsfv.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sync/singleflight/singleflight.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/plan9/syscall_plan9.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/unix/ioctl_signed.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/unix/ioctl_unsigned.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/unix/syscall_solaris.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/unix/syscall_unix.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/unix/ztypes_linux.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/windows/aliases.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/windows/dll_windows.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/windows/registry/key.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/windows/security_windows.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/windows/syscall_windows.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/windows/types_windows.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/sys/windows/zsyscall_windows.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/message/catalog/catalog.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/message/catalog/dict.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/message/catalog/go19.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/message/catalog/gopre19.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/secure/bidirule/bidirule.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/bidi/tables10.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/bidi/tables11.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/bidi/tables12.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/bidi/tables13.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/bidi/tables15.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/bidi/tables17.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/bidi/tables9.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/norm/forminfo.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/norm/tables10.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/norm/tables11.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/norm/tables12.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/norm/tables15.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/norm/tables17.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/text/unicode/norm/tables9.0.0.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/go/ast/inspector/cursor.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/go/ast/inspector/inspector.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/go/ast/inspector/iter.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/go/packages/golist.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/go/packages/packages.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/go/types/objectpath/objectpath.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/aliases/aliases.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/aliases/aliases_go122.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/event/core/event.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/event/keys/keys.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/event/label/label.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/gcimporter/iexport.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/gcimporter/iimport.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/gcimporter/ureader.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/gocommand/version.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/pkgbits/version.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/stdlib/deps.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/typeparams/coretype.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/typeparams/free.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/typesinternal/types.gois excluded by!vendor/**,!**/vendor/**vendor/golang.org/x/tools/internal/versions/features.gois excluded by!vendor/**,!**/vendor/**vendor/modules.txtis excluded by!vendor/**,!**/vendor/**
📒 Files selected for processing (1)
go.mod
| golang.org/x/mod v0.35.0 // indirect | ||
| golang.org/x/net v0.53.0 // indirect | ||
| golang.org/x/oauth2 v0.34.0 // indirect | ||
| golang.org/x/sync v0.19.0 // indirect | ||
| golang.org/x/sys v0.40.0 // indirect | ||
| golang.org/x/term v0.39.0 // indirect | ||
| golang.org/x/text v0.33.0 // indirect | ||
| golang.org/x/sync v0.20.0 // indirect | ||
| golang.org/x/sys v0.43.0 // indirect | ||
| golang.org/x/term v0.42.0 // indirect | ||
| golang.org/x/text v0.36.0 // indirect | ||
| golang.org/x/time v0.14.0 // indirect | ||
| golang.org/x/tools v0.41.0 // indirect | ||
| golang.org/x/tools v0.44.0 // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Extract go.mod header to determine the effective Go toolchain version (required by retrieved learning)
echo "=== go.mod header (toolchain / go directives) ==="
head -n 10 go.mod
# Cross-reference with osv.dev for CVE details and Go version applicability
echo ""
echo "=== Verify CVE details on osv.dev (check Go version applicability) ==="
echo "Vulnerabilities flagged by OSV Scanner above. Check:"
echo " - https://osv.dev/list?ecosystem=Go"
echo " - Filter by go.golang.org/x/net, go.golang.org/x/sys"
echo " - Cross-reference affected versions with the Go toolchain version extracted above"Repository: openshift/pf-status-relay-operator
Length of output: 747
🏁 Script executed:
#!/bin/bash
# Extract full go.mod to see all golang.org/x/* versions and google/pprof
echo "=== Full go.mod lines 40-90 (all google/pprof and golang.org/x/* deps) ==="
sed -n '40,90p' go.mod
echo ""
echo "=== Check for google/pprof in full go.mod ==="
grep -n "google/pprof" go.mod || echo "Not found in direct search; checking indirect markers..."
grep -n "pprof" go.modRepository: openshift/pf-status-relay-operator
Length of output: 3185
🏁 Script executed:
#!/bin/bash
# Search codebase for vulnerable code path usage patterns
# Check for HTML parsing from golang.org/x/net
echo "=== Searching for HTML/net parsing code paths ==="
rg -t go "(net\.HTML|html\.Parse|golang\.org/x/net/html)" --no-heading
echo ""
echo "=== Searching for IDNA usage ==="
rg -t go "(idna|IDNA)" --no-heading
echo ""
echo "=== Searching for Windows NTLM usage ==="
rg -t go "(NTLM|NTUnicode|golang\.org/x/sys/windows)" --no-headingRepository: openshift/pf-status-relay-operator
Length of output: 222
🌐 Web query:
golang.org/x/net v0.53.0 CVE GO-2026-5025 GO-2026-5030 Go 1.25 applicability
💡 Result:
The vulnerabilities GO-2026-5025 and GO-2026-5030 affect the golang.org/x/net module [1][2][3]. Both vulnerabilities involve the parsing of arbitrary HTML in golang.org/x/net/html, which can lead to the creation of an unexpected HTML tree and be leveraged for Cross-Site Scripting (XSS) attacks in applications that sanitize HTML input before rendering it [1][2][4]. Applicability: - Affected Versions: Versions of golang.org/x/net/html before v0.55.0 are affected [1][2][5]. - Specific Version: Your specified version, golang.org/x/net v0.53.0, is vulnerable to both issues [3][6]. - Mitigation: Users should update the golang.org/x/net module to version v0.55.0 or later to resolve these vulnerabilities [5][4][7]. Go 1.25 Applicability: Go 1.25 is a separate release from the Go language toolchain (released August 2025) [8][9]. While your environment might be using Go 1.25, the vulnerability resides within the third-party golang.org/x/net module, which is managed independently of the Go standard library version [3]. You must update the external module dependency regardless of your Go toolchain version [4][7].
Citations:
- 1: https://pkg.go.dev/vuln/GO-2026-5025
- 2: https://pkg.go.dev/vuln/GO-2026-5030
- 3: https://pkg.go.dev/golang.org/x/net@v0.53.0
- 4: chore(deps): update module golang.org/x/net to v0.55.0 [security] (release-4.0) argoproj/argo-workflows#16067
- 5: https://deps.dev/advisory/osv/GO-2026-5025
- 6: https://guide.sonatype.com/component/golang/golang.org%2Fx%2Fnet/v0.53.0
- 7: fix(deps): vuln minor upgrades — 4 packages (minor: 4) [tests] DataDog/datadog-api-client-go#4255
- 8: https://go.dev/blog/go1.25
- 9: https://go.dev/doc/devel/release
🌐 Web query:
golang.org/x/sys v0.43.0 CVE GO-2026-5024 Windows NTLM integer overflow
💡 Result:
The vulnerability identified as GO-2026-5024 (CVE-2026-39824) involves an integer overflow in the NewNTUnicodeString function within the golang.org/x/sys/windows package [1][2][3]. The issue stems from the function failing to check for string length overflow when converting a string to a NTUnicodeString [1][4]. Specifically, the length in bytes is calculated using a uint16, meaning that input strings exceeding the capacity of a 16-bit number of bytes would cause an overflow, resulting in a truncated string being returned instead of an error [1][5][3]. Key details regarding this vulnerability include: - Affected Versions: golang.org/x/sys/windows versions prior to v0.44.0 [1][6]. - Resolution: The issue was addressed in version v0.45.0, where the function now correctly returns an error when provided with a string that is too long [3]. - Context: While the report specifies an integer overflow, it is not explicitly categorized as an NTLM-specific vulnerability in official Go security documentation, though it concerns Windows system interactions [1][3]. Some confusion may exist with other NTLM-related vulnerabilities, such as CVE-2026-32952, which affects the unrelated go-ntlmssp package [7]. The Go Security Team published this advisory on May 22, 2026 [1][2][3]. Developers using versions of golang.org/x/sys earlier than v0.44.0 (including v0.43.0) are advised to update to a patched version [1][8][3].
Citations:
- 1: https://pkg.go.dev/vuln/GO-2026-5024
- 2: https://nvd.nist.gov/vuln/detail/CVE-2026-39824
- 3: https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg
- 4: https://nvd.nist.gov/vuln/detail/cve-2026-39824
- 5: x/sys/windows, internal/syscall/windows: integer overflow in NewNTUnicodeString golang/go#78916
- 6: https://osv.dev/vulnerability/GO-2026-5024
- 7: https://nvd.nist.gov/vuln/detail/cve-2026-32952
- 8: https://pkg.go.dev/golang.org/x/sys@v0.43.0
Update golang.org/x/net to v0.55.0+ and golang.org/x/sys to v0.45.0+ to address confirmed CVEs.
Code path analysis shows your operator does not invoke the vulnerable functions (no HTML parsing, IDNA, or Windows NTLM usage found), so current exploitability risk is low. However, the CVEs are confirmed and patches are available:
- golang.org/x/net v0.53.0 → v0.55.0+: Fixes GO-2026-5025 and GO-2026-5030 (HTML parsing XSS vulnerabilities in golang.org/x/net/html).
- golang.org/x/sys v0.43.0 → v0.45.0+: Fixes GO-2026-5024 (integer overflow in Windows NTLM string conversion). Note: v0.44.0 is insufficient; use v0.45.0 or later.
These updates are required for supply chain security compliance even though your code does not currently trigger these code paths.
Additionally, github.com/google/pprof (line 44) is pinned to a pseudo-version (v0.0.0-20260402051712-545e8a4df936), which violates the supply chain security guideline requiring exact version pins. Verify this is intentional or replace with a released version.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
(GO-2026-5025)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
(GO-2026-5026)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
(GO-2026-5027)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
(GO-2026-5028)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
(GO-2026-5029)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking duplicate attributes can cause XSS in golang.org/x/net/html
(GO-2026-5030)
[LOW] 82-82: golang.org/x/sys 0.43.0: Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
(GO-2026-5024)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` around lines 78 - 86, Update the golang.org/x/net module from v0.53.0
to v0.55.0 or later to address CVEs GO-2026-5025 and GO-2026-5030 in HTML
parsing. Update the golang.org/x/sys module from v0.43.0 to v0.45.0 or later to
address CVE GO-2026-5024 in Windows NTLM string conversion (note that v0.44.0 is
insufficient, use v0.45.0 or later). Additionally, inspect the
github.com/google/pprof dependency to replace its pseudo-version pin with a
released version to comply with supply chain security guidelines.
🔒 Security & Privacy | 🟡 Minor
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Extract go.mod header to determine effective Go toolchain version for CVE assessment
head -n 10 go.modRepository: openshift/pf-status-relay-operator
Length of output: 395
🏁 Script executed:
#!/bin/bash
# Extract full go.mod to locate google/pprof and verify indirect dependencies
cat go.modRepository: openshift/pf-status-relay-operator
Length of output: 5200
🏁 Script executed:
#!/bin/bash
# Search for usage of golang.org/x/net and golang.org/x/sys in the codebase
echo "=== golang.org/x/net usage ===" && \
rg 'golang\.org/x/net' --type go -l && \
echo "=== golang.org/x/sys usage ===" && \
rg 'golang\.org/x/sys' --type go -lRepository: openshift/pf-status-relay-operator
Length of output: 203
🌐 Web query:
GO-2026-5025 GO-2026-5026 golang.org/x/net CVE 2026
💡 Result:
The identifiers GO-2026-5025 and GO-2026-5026 refer to vulnerability reports in the Go ecosystem affecting the golang.org/x/net package, which were addressed in version v0.55.0 [1][2][3]. GO-2026-5025 corresponds to CVE-2026-42506 [1][4][5]. It involves an issue where parsing arbitrary HTML can result in an unexpected HTML tree, potentially allowing Cross-Site Scripting (XSS) in applications that sanitize input HTML before rendering [1][5]. The vulnerability affects the golang.org/x/net/html package [1][4]. Note that the identifier CVE-2026-5025 is unrelated to Go and instead refers to a vulnerability in the Langflow application (missing authorization in log endpoints) [6][7]. GO-2026-5026 corresponds to CVE-2026-39821 [2][8]. It involves an issue in the golang.org/x/net/idna package where the ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label [2][3]. This can lead to privilege escalation by bypassing hostname-based security checks [2][3]. Similar to the other identifier, CVE-2026-5026 is also reused in unrelated contexts, specifically referring to a stored XSS vulnerability in a different product [9][10][11]. In summary: - GO-2026-5025: Affects golang.org/x/net/html (CVE-2026-42506) [1][5]. - GO-2026-5026: Affects golang.org/x/net/idna (CVE-2026-39821) [2][8]. - Both vulnerabilities were resolved in golang.org/x/net version v0.55.0 [1][2][3].
Citations:
- 1: https://pkg.go.dev/vuln/GO-2026-5025
- 2: https://pkg.go.dev/vuln/GO-2026-5026
- 3: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
- 4: https://osv.dev/vulnerability/GO-2026-5025
- 5: https://nvd.nist.gov/vuln/detail/CVE-2026-42506
- 6: https://nvd.nist.gov/vuln/detail/CVE-2026-5025
- 7: https://www.cve.org/CVERecord?id=CVE-2026-5025
- 8: https://nvd.nist.gov/vuln/detail/CVE-2026-39821
- 9: https://www.tenable.com/cve/CVE-2026-5026
- 10: https://guide.sonatype.com/vulnerability/CVE-2026-5026
- 11: https://www.sentinelone.com/vulnerability-database/cve-2026-5026/
🏁 Script executed:
#!/bin/bash
# Search for CVE identifiers GO-2026-5027 through GO-2026-5030 and GO-2026-5024
# Also check if google/pprof is in tools.go or build scripts
echo "=== Checking for tools.go (pprof usage) ===" && \
find . -name "tools.go" -type f -exec cat {} \; && \
echo "=== Checking Makefile for pprof references ===" && \
grep -i pprof Makefile || trueRepository: openshift/pf-status-relay-operator
Length of output: 263
🌐 Web query:
GO-2026-5027 GO-2026-5028 GO-2026-5029 GO-2026-5030 golang.org/x/net CVE
💡 Result:
The vulnerability reports you referenced (GO-2026-5027, GO-2026-5028, and GO-2026-5029) are part of the Go Vulnerability Database and relate to security issues in the golang.org/x/net package [1][2][3][4]. These vulnerabilities were addressed in golang.org/x/net version v0.55.0 [1]. Details for each are as follows: GO-2026-5027: This report corresponds to CVE-2026-42506, which involves incorrect handling of namespaced elements in foreign content within the golang.org/x/net/html parser [1][5]. This could be leveraged to execute Cross-Site Scripting (XSS) attacks in applications that attempt to sanitize input HTML before rendering [5]. GO-2026-5028: This report corresponds to CVE-2026-25680, which involves a denial-of-service vulnerability in golang.org/x/net/html [3]. Parsing arbitrary HTML can consume excessive CPU time [3]. GO-2026-5029: This report corresponds to CVE-2026-25681, which involves incorrect handling of character references in DOCTYPE nodes within the golang.org/x/net/html parser [1][2]. Similar to GO-2026-5027, this can lead to XSS when rendering parsed HTML [1]. Regarding GO-2026-5030, it is listed in the Go Vulnerability Database [4], but specific public details for this exact identifier were not surfaced in the search results provided. To obtain official information on all Go security advisories, you can consult the Go Vulnerability Database at https://vuln.go.dev/ or browse reports at https://pkg.go.dev/vuln/ [4][6].
Citations:
- 1: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
- 2: https://pkg.go.dev/vuln/GO-2026-5029
- 3: https://osv.dev/vulnerability/CVE-2026-25680
- 4: https://pkg.go.dev/vuln/list
- 5: https://osv.dev/vulnerability/CVE-2026-42506
- 6: https://vuln.go.dev/
🌐 Web query:
GO-2026-5024 golang.org/x/sys CVE
💡 Result:
GO-2026-5024 (also identified as CVE-2026-39824) is a security vulnerability in the golang.org/x/sys/windows package [1][2][3]. The vulnerability involves the NewNTUnicodeString function, which fails to correctly validate input string lengths against the maximum capacity of an NTUnicodeString structure [1][4]. In Windows, NTUnicodeString structures use a 16-bit field to store the length of the string in bytes. When a provided string exceeds this maximum size, the function performs a silent truncation of the string instead of returning an error [2][5][6]. This behavior can lead to integer overflow or wraparound issues, potentially causing data integrity problems or unexpected application behavior when relying on this function for Unicode string handling [3][6]. The vulnerability was published on May 22, 2026 [2][3]. It affects versions of golang.org/x/sys prior to v0.44.0 [2][4]. Users are advised to update the package to version 0.44.0 or later to resolve the issue [5]. If upgrading is not immediately possible, manual length validation of strings before passing them to NewNTUnicodeString is recommended as a temporary mitigation [4][5].
Citations:
- 1: https://osv.dev/vulnerability/GO-2026-5024
- 2: https://pkg.go.dev/vuln/GO-2026-5024
- 3: https://nvd.nist.gov/vuln/detail/cve-2026-39824
- 4: https://app.opencve.io/cve/CVE-2026-39824
- 5: https://vulert.com/vuln-db/CVE-2026-39824
- 6: https://radar.offseq.com/threat/cve-2026-39824-cwe-190-integer-overflow-or-wraparo-9aa09532
Upgrade golang.org/x/net to v0.55.0+ and golang.org/x/sys to v0.44.0+ to resolve CVE exposures.
All 7 CVEs flagged in the original review are confirmed:
golang.org/x/net v0.53.0 (6 CVEs fixed in v0.55.0):
- GO-2026-5025, GO-2026-5027: XSS via incorrect HTML parsing (golang.org/x/net/html)
- GO-2026-5026: IDNA privilege escalation via Punycode mishandling
- GO-2026-5028: DoS via excessive CPU in HTML parser
- GO-2026-5029: XSS via DOCTYPE character reference handling
- GO-2026-5030: Additional golang.org/x/net vulnerability
golang.org/x/sys v0.43.0 (1 CVE fixed in v0.44.0):
- GO-2026-5024: Integer overflow in windows/NTUnicodeString length validation
Risk Assessment: Practical impact is LOW. Codebase inspection found zero direct usage of golang.org/x/net or golang.org/x/sys APIs; these are transitive dependencies pulled in by k8s.io/client-go and controller-runtime. The vulnerable code paths (HTML sanitization, IDNA validation, Windows NTLM auth) are not exercised by your operator's functionality.
However, per supply chain security guidelines, these indirect dependencies should still be upgraded. Update to:
golang.org/x/net v0.55.0or latergolang.org/x/sys v0.44.0or later
Then run the pre-commit checks: make generate && make manifests && go mod tidy && go mod vendor && hack/align-ocp-version.sh to ensure compatibility and stage any resulting changes.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
(GO-2026-5025)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
(GO-2026-5026)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
(GO-2026-5027)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
(GO-2026-5028)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
(GO-2026-5029)
[LOW] 79-79: golang.org/x/net 0.53.0: Invoking duplicate attributes can cause XSS in golang.org/x/net/html
(GO-2026-5030)
[LOW] 82-82: golang.org/x/sys 0.43.0: Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
(GO-2026-5024)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` around lines 78 - 86, Update the golang.org/x/net dependency from
v0.53.0 to v0.55.0 or later and the golang.org/x/sys dependency from v0.43.0 to
v0.44.0 or later in the go.mod file to address the identified CVEs. After making
these version changes, run the pre-commit checks by executing make generate,
make manifests, go mod tidy, go mod vendor, and hack/align-ocp-version.sh to
ensure compatibility and stage any resulting changes.
Bumps the other-go-modules group with 1 update in the / directory: [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo). Updates `github.com/onsi/ginkgo/v2` from 2.28.1 to 2.32.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.28.1...v2.32.0) Updates `github.com/onsi/gomega` from 1.39.1 to 1.40.0 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.39.1...v1.40.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: other-go-modules - dependency-name: github.com/onsi/gomega dependency-version: 1.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: other-go-modules ... Signed-off-by: dependabot[bot] <support@github.com>
9d610d8 to
264a56c
Compare
Bumps the other-go-modules group with 1 update in the / directory: github.com/onsi/ginkgo/v2.
Updates
github.com/onsi/ginkgo/v2from 2.28.1 to 2.32.0Release notes
Sourced from github.com/onsi/ginkgo/v2's releases.
Changelog
Sourced from github.com/onsi/ginkgo/v2's changelog.
Commits
9ff1646v2.32.00491f2aMake -fd exclusive of -p/-procs and -randomize-all334f74arespect SilenceSkips in fd mode, add test21047ceNo need for a new method.7d281e1Break out to two methods.5313727More integration, fewer changes.b83f524Fewer new methods.73c59dffeat: add -fd flag for RSpec-style documentation output76a2074feat: add --sleep-on-failure to pause a failed spec before teardown3c7bde4v2.31.0Updates
github.com/onsi/gomegafrom 1.39.1 to 1.40.0Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
87ee9d3v1.40.0ea66027v1.40.0 (full)e3fd789update docs to reflect new versioning strategy7d4ee30first push to master-litee4a82d1Bump github/codeql-action from 3 to 4 (#875)af62723Bump rexml from 3.4.0 to 3.4.2 in /docs (#870)e164221Bump github.com/onsi/ginkgo/v2 from 2.28.0 to 2.28.1 (#895)334a282Bump faraday from 2.12.2 to 2.14.1 in /docs (#896)Summary by CodeRabbit