Skip to content

Update golang.org/x/oauth2 and golang.org/x/net to resolve 2 vulns#28

Open
KrisKennawayDD wants to merge 1 commit into
grpc-ecosystem:mainfrom
KrisKennawayDD:kris.kennaway/update-x-pkgs
Open

Update golang.org/x/oauth2 and golang.org/x/net to resolve 2 vulns#28
KrisKennawayDD wants to merge 1 commit into
grpc-ecosystem:mainfrom
KrisKennawayDD:kris.kennaway/update-x-pkgs

Conversation

@KrisKennawayDD
Copy link
Copy Markdown

@KrisKennawayDD KrisKennawayDD commented Dec 5, 2025

Resolves two issues showing up on trivy scans (although likely not vulnerable in practice)

go.mod (gomod)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2025-22870 │ MEDIUM   │ fixed  │ v0.34.0           │ 0.36.0        │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:  │
│                     │                │          │        │                   │               │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22870                │
│                     ├────────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22872 │          │        │                   │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input  │
│                     │                │          │        │                   │               │ During Web Page Generation in x/net in...                 │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22872                │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/oauth2 │ CVE-2025-22868 │ HIGH     │        │ v0.24.0           │ 0.27.0        │ golang.org/x/oauth2/jws: Unexpected memory consumption    │
│                     │                │          │        │                   │               │ during token parsing in golang.org/x/oauth2/jws           │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22868                │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KrisKennawayDD