Skip to content

Update golang.org/x/net to resolve a false positive CVE-2026-33814#309

Merged
stefanb merged 1 commit into
grpc-ecosystem:masterfrom
bzumhagen:upgrade-http2
May 13, 2026
Merged

Update golang.org/x/net to resolve a false positive CVE-2026-33814#309
stefanb merged 1 commit into
grpc-ecosystem:masterfrom
bzumhagen:upgrade-http2

Conversation

@bzumhagen
Copy link
Copy Markdown
Contributor

@bzumhagen bzumhagen commented May 8, 2026

@stefanb
Copy link
Copy Markdown
Collaborator

stefanb commented May 13, 2026

Please note this is a false positive within the context of grpc-health-check.

You can confirm so with govulncheck and see that the vulnerable code from the vulnerable upstream Go module dependancy golang.org/x/net cannot be reached from grpc-health-check.

➜  grpc-health-probe git:(master) go run golang.org/x/vuln/cmd/govulncheck@latest -show verbose ./...
Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

The package pattern matched the following root package:
  github.com/grpc-ecosystem/grpc-health-probe
Govulncheck scanned the following 10 modules and the go1.26.3 standard library:
  github.com/grpc-ecosystem/grpc-health-probe
  github.com/go-jose/go-jose/v4@v4.1.4
  github.com/spiffe/go-spiffe/v2@v2.6.0
  golang.org/x/net@v0.49.0
  golang.org/x/sync@v0.19.0
  golang.org/x/sys@v0.40.0
  golang.org/x/text@v0.33.0
  google.golang.org/genproto/googleapis/rpc@v0.0.0-20260120221211-b8f7ae30c516
  google.golang.org/grpc@v1.80.0
  google.golang.org/protobuf@v1.36.11

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

Vulnerability #1: GO-2026-4918
    Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in
    net/http/internal/http2 in golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2026-4918
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.49.0
    Fixed in: golang.org/x/net@v0.53.0

=== Module Results ===

No other vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.

I checked this only hours after the last release.

Yes, false positives are annoying, sometimes hard to justify, but this seems to be the case not to panic about.

@stefanb stefanb changed the title Update golang.org/x/net to resolve vulnerability Update golang.org/x/net to resolve a false positive CVE-2026-33814 May 13, 2026
@bzumhagen
Copy link
Copy Markdown
Contributor Author

bzumhagen commented May 13, 2026

@stefanb thanks for the clarification! What would you like me to do with this PR? Does it still make sense to update to avoid snyk and other tools yelling at people?

@stefanb stefanb merged commit 013d6fa into grpc-ecosystem:master May 13, 2026
2 checks passed
@stefanb
Copy link
Copy Markdown
Collaborator

stefanb commented May 13, 2026

Merged and published a release 0.4.50 for whoever it is easier to just upgrade instead of justifying why the security scanners are sometimes wrong 😅

Thanks for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bzumhagen @stefanb