Skip to content

Bump golang.org/x/net to v0.53.0 to fix GO-2026-4918#4242

Merged
stevenvegt merged 1 commit into
masterfrom
fix/x-net-cve-master
May 11, 2026
Merged

Bump golang.org/x/net to v0.53.0 to fix GO-2026-4918#4242
stevenvegt merged 1 commit into
masterfrom
fix/x-net-cve-master

Conversation

@reinkrul
Copy link
Copy Markdown
Member

@reinkrul reinkrul commented May 11, 2026

Summary

Bump `golang.org/x/net` from v0.52.0 to v0.53.0 to fix GO-2026-4918 — infinite loop in HTTP/2 transport on bad `SETTINGS_MAX_FRAME_SIZE`. Reached via `http.Transport.RoundTrip` from `http/client/caching.go:68`.

Master was failing the scheduled govulncheck CI on this advisory; the equivalent fix already shipped in v6.2.5 and v5.4.33 on the release branches.

Assisted by AI

@reinkrul
Bump golang.org/x/net to v0.53.0 to fix GO-2026-4918
94fc728 
Fixes HTTP/2 transport infinite loop on bad SETTINGS_MAX_FRAME_SIZE
in net/http/internal/http2 (reached via http.Transport.RoundTrip from
http/client/caching.go).

Assisted by AI
@qltysh
Copy link
Copy Markdown
Contributor

qltysh Bot commented May 11, 2026

Qlty


Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.01%.

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@stevenvegt stevenvegt merged commit 656cf4d into master May 11, 2026
12 checks passed
@stevenvegt stevenvegt deleted the fix/x-net-cve-master branch May 11, 2026 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevenvegt stevenvegt stevenvegt approved these changes

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reinkrul @stevenvegt