Skip to content

Release new version including fix for GO-2026-4918 #1580

Description

@nhenneaux

govulncheck detects vulnerability fix by update of golang.org/x/net@v0.53.0 is needed and tag the new version

Vulnerability #1: GO-2026-4918
    Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in
    net/http/internal/http2 in golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2026-4918
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.47.0
    Fixed in: golang.org/x/net@v0.53.0
    Example traces found:
      #1: prober/http.go:227:44: prober.transport.RoundTrip calls http.Transport.RoundTrip, which eventually calls http2.Transport.NewClientConn
      #2: prober/http.go:227:44: prober.transport.RoundTrip calls http.Transport.RoundTrip, which eventually calls http2.Transport.RoundTrip
      #3: prober/http.go:227:44: prober.transport.RoundTrip calls http.Transport.RoundTrip, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #4: prober/http.go:227:44: prober.transport.RoundTrip calls http.Transport.RoundTrip, which eventually calls http2.unencryptedTransport.RoundTrip
Your code is affected by 1 vulnerability from 1 module.
This scan also found 2 vulnerabilities in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions