Update module golang.org/x/net to v0.38.0 [SECURITY] (#2211)

pulumi-renovate[bot] · web-flow · commit 6e4b215f62d2 · 2025-12-02T11:44:17.000Z
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang.org/x/net | indirect | minor | `v0.35.0` -> `v0.38.0` | | golang.org/x/net | indirect | minor | `v0.36.0` -> `v0.38.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://redirect.github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) <details> <summary>More information</summary> #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) - [https://go-review.googlesource.com/q/project:net](https://go-review.googlesource.com/q/project:net) - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) - [https://pkg.go.dev/vuln/GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) - [https://security.netapp.com/advisory/ntap-20250509-0007](https://security.netapp.com/advisory/ntap-20250509-0007) - [http://www.openwall.com/lists/oss-security/2025/03/07/2](http://www.openwall.com/lists/oss-security/2025/03/07/2) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qxp5-gwg8-xv66) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://redirect.github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) <details> <summary>More information</summary> #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity Unknown #### References - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3503) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### golang.org/x/net vulnerable to Cross-site Scripting [CVE-2025-22872](https://nvd.nist.gov/vuln/detail/CVE-2025-22872) / [GHSA-vvgc-356p-c3xw](https://redirect.github.com/advisories/GHSA-vvgc-356p-c3xw) / [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) <details> <summary>More information</summary> #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-22872](https://nvd.nist.gov/vuln/detail/CVE-2025-22872) - [https://go.dev/cl/662715](https://go.dev/cl/662715) - [https://go.dev/issue/73070](https://go.dev/issue/73070) - [https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA](https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA) - [https://pkg.go.dev/vuln/GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) - [https://security.netapp.com/advisory/ntap-20250516-0007](https://security.netapp.com/advisory/ntap-20250516-0007) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-vvgc-356p-c3xw) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [CVE-2025-22872](https://nvd.nist.gov/vuln/detail/CVE-2025-22872) / [GHSA-vvgc-356p-c3xw](https://redirect.github.com/advisories/GHSA-vvgc-356p-c3xw) / [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) <details> <summary>More information</summary> #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). #### Severity Unknown #### References - [https://go.dev/cl/662715](https://go.dev/cl/662715) - [https://go.dev/issue/73070](https://go.dev/issue/73070) - [https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA](https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3595) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> ### GitHub Vulnerability Alerts #### [CVE-2025-22872](https://nvd.nist.gov/vuln/detail/CVE-2025-22872) The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).  Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
diff --git a/azure-go-aci/go.mod b/azure-go-aci/go.mod
@@ -81,7 +81,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-aks-helm/go.mod b/azure-go-aks-helm/go.mod
@@ -88,7 +88,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-aks-managed-identity/go.mod b/azure-go-aks-managed-identity/go.mod
@@ -83,7 +83,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-aks-multicluster/go.mod b/azure-go-aks-multicluster/go.mod
@@ -84,7 +84,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-aks/go.mod b/azure-go-aks/go.mod
@@ -85,7 +85,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-appservice-docker/go.mod b/azure-go-appservice-docker/go.mod
@@ -83,7 +83,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-call-azure-sdk/go.mod b/azure-go-call-azure-sdk/go.mod
@@ -93,7 +93,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-containerapps/go.mod b/azure-go-containerapps/go.mod
@@ -84,7 +84,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/azure-go-static-website/go.mod b/azure-go-static-website/go.mod
@@ -83,7 +83,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
diff --git a/ovhcloud-go-kubernetes/go.mod b/ovhcloud-go-kubernetes/go.mod
@@ -77,7 +77,7 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
