Skip to content

[release/v25.3.x] Bump Go toolchain to 1.25.10 and golang.org/x/net to v0.54.0 (Snyk findings)#1507

Merged
RafalKorepta merged 1 commit into
release/v25.3.xfrom
tb/backport-snyk-v25.3.x
May 12, 2026
Merged

[release/v25.3.x] Bump Go toolchain to 1.25.10 and golang.org/x/net to v0.54.0 (Snyk findings)#1507
RafalKorepta merged 1 commit into
release/v25.3.xfrom
tb/backport-snyk-v25.3.x

Conversation

@twmb
Copy link
Copy Markdown
Contributor

@twmb twmb commented May 8, 2026
edited
Loading

Summary

Backport of #1506 to release/v25.3.x. Comprehensive dep bump across all workspace modules:

  • Go toolchain: 1.25.7 → 1.25.10
  • golang.org/x/net: v0.52.0 → v0.54.0

Vulnerabilities addressed

HIGH: Infinite loop in golang.org/x/net/http2 — CVE-2026-33814

HIGH: Double Free in std/net — CVE-2026-33811

HIGH: Uncaught Exception in std/net — CVE-2026-39836

HIGH: Infinite loop in std/net/http — CVE-2026-33814

Snyk DB lag — OSV / Go vuln DB confirm the fix releases.

Manual backport (no backport label) — the auto-backport bot does cherry-picks which fail for dep bumps.

@twmb twmb changed the title [release/v25.3.x] Bump golang.org/x/net to v0.54.0 to address Snyk findings [release/v25.3.x] Bump Go toolchain to 1.25.10 and golang.org/x/net to v0.54.0 (Snyk findings) May 10, 2026
@twmb twmb force-pushed the tb/backport-snyk-v25.3.x branch from 053adad to 103b7c9 Compare May 11, 2026 18:58
@twmb
Bump Go toolchain to 1.25.10 and golang.org/x/net to v0.54.0 (Snyk fi…
b19849f 
…ndings)

Backport of #1506 to release/v25.3.x. Comprehensive dep bump across all
workspace modules:
- Go toolchain: 1.25.7 → 1.25.10
- golang.org/x/net: v0.52.0 → v0.54.0

Also pins pkgs.go_1_25 in ci/overlay.nix to 1.25.10 so nix's auto-toolchain
mechanism doesn't break go-licenses' stdlib resolution (stdlib served from
the module cache reports Module==nil, causing the licenses generator to
fail). Updates the tool-versions golden file (TestToolVersions) for the
new go/helm/kind GoVersion strings.

Vulnerabilities addressed (all HIGH, Snyk DB-lagged but OSV/Go vuln DB
confirm the fix release):
- CVE-2026-33811 Double Free in std/net (GO-2026-4981)
- CVE-2026-39836 Uncaught Exception in std/net (GO-2026-4971)
- CVE-2026-33814 Infinite loop in std/net/http (GO-2026-4918)
- CVE-2026-33814 Infinite loop in golang.org/x/net/http2 (x/net → 0.54.0)

Manual backport (no `backport` label) — the auto-backport bot does
cherry-picks which fail for dep bumps.
@twmb twmb force-pushed the tb/backport-snyk-v25.3.x branch from 103b7c9 to b19849f Compare May 11, 2026 19:07
@RafalKorepta RafalKorepta merged commit d6d5b00 into release/v25.3.x May 12, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafalKorepta RafalKorepta RafalKorepta approved these changes

@chrisseto chrisseto Awaiting requested review from chrisseto chrisseto is a code owner

@andrewstucki andrewstucki Awaiting requested review from andrewstucki andrewstucki is a code owner

@gene-redpanda gene-redpanda Awaiting requested review from gene-redpanda gene-redpanda is a code owner

@hidalgopl hidalgopl Awaiting requested review from hidalgopl hidalgopl is a code owner

Assignees

No one assigned

Labels

no-changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@twmb @RafalKorepta