Skip to content

[release/v25.3.x] Bump Go toolchain to 1.25.10 and golang.org/x/net to v0.54.0 (Snyk findings)#1507

Open
twmb wants to merge 4 commits intorelease/v25.3.xfrom
tb/backport-snyk-v25.3.x
Open

[release/v25.3.x] Bump Go toolchain to 1.25.10 and golang.org/x/net to v0.54.0 (Snyk findings)#1507
twmb wants to merge 4 commits intorelease/v25.3.xfrom
tb/backport-snyk-v25.3.x

Conversation

@twmb
Copy link
Copy Markdown
Contributor

@twmb twmb commented May 8, 2026
edited
Loading

Summary

Backport of #1506 to release/v25.3.x. Comprehensive dep bump across all workspace modules:

  • Go toolchain: 1.25.7 → 1.25.10
  • golang.org/x/net: v0.52.0 → v0.54.0

Vulnerabilities addressed

HIGH: Infinite loop in golang.org/x/net/http2 — CVE-2026-33814

HIGH: Double Free in std/net — CVE-2026-33811

HIGH: Uncaught Exception in std/net — CVE-2026-39836

HIGH: Infinite loop in std/net/http — CVE-2026-33814

Snyk DB lag — OSV / Go vuln DB confirm the fix releases.

Manual backport (no backport label) — the auto-backport bot does cherry-picks which fail for dep bumps.

@twmb @claude
Bump golang.org/x/net to v0.54.0 to address Snyk findings
de9317f 
Backport of #1506 to release/v25.3.x.

Addresses:
- SNYK-GOLANG-GOLANGORGXNETHTTP2-16535157 / CVE-2026-33814
  Infinite loop in golang.org/x/net/http2
  https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-16535157
  https://pkg.go.dev/vuln/GO-2026-4918

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@twmb
Bump Go toolchain to 1.25.10 to address Snyk stdlib findings
c0d0da4 
Bumps the go directive in all workspace modules from 1.25.7 to 1.25.10,
addressing HIGH severity stdlib vulnerabilities:

- CVE-2026-33811 Double Free in std/net (GO-2026-4981)
- CVE-2026-39836 Uncaught Exception in std/net (GO-2026-4971)
- CVE-2026-33814 Infinite loop in std/net/http (GO-2026-4918)

Snyk reports these as "no fix available" but OSV / Go vuln DB confirm
1.25.10 is the fix release for the 1.25.x line — Snyk DB lag.

Also applies CI-regenerated licenses/third_party.md diff for the x/net
0.54.0 transitive bumps.
@twmb twmb changed the title [release/v25.3.x] Bump golang.org/x/net to v0.54.0 to address Snyk findings [release/v25.3.x] Bump Go toolchain to 1.25.10 and golang.org/x/net to v0.54.0 (Snyk findings) May 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafalKorepta RafalKorepta Awaiting requested review from RafalKorepta RafalKorepta is a code owner

@chrisseto chrisseto Awaiting requested review from chrisseto chrisseto is a code owner

@andrewstucki andrewstucki Awaiting requested review from andrewstucki andrewstucki is a code owner

@gene-redpanda gene-redpanda Awaiting requested review from gene-redpanda gene-redpanda is a code owner

@hidalgopl hidalgopl Awaiting requested review from hidalgopl hidalgopl is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no-changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@twmb