Skip to content

Bump vulnerable golang.org/x/crypto (v0.49.0) and golang.org/x/net (v0.52.0) in v0.30.2 #2730

Description

@areddy1213

v0.30.2 (current latest) pins golang.org/x/crypto v0.49.0 and golang.org/x/net v0.52.0, which our OSS vulnerability scanner flags with several security advisories. Downstream FIPS rebuilds must currently force-bump these before execution.

Our scans indicate the pinned versions are vulnerable to the following:

golang.org/x/crypto (v0.49.0): Vulnerable to CVE-2026-39829 (CPU Denial of Service via pathological RSA/DSA parameters during public key verification).

golang.org/x/net (v0.52.0): Vulnerable to CVE-2026-42506 (XSS due to incorrect handling of namespaced elements in foreign content).

Please update go.mod to the current versions—golang.org/x/crypto (≥ v0.53.0, which step-issuer v0.11.0 already ships) and golang.org/x/net (≥ v0.56.0)—and cut a patch release so downstream consumers can drop manual go get remediations.

Steps to reproduce.
go get golang.org/x/crypto@v0.53.0
go get golang.org/x/net@v0.56.0
go mod tidy

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementneeds triageWaiting for discussion / prioritization by team

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions