Skip to content

fix(deps): vuln minor upgrades — 5 packages (minor: 5) [grpc_check/tests]#3049

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/tests/0-1783348147
Draft

fix(deps): vuln minor upgrades — 5 packages (minor: 5) [grpc_check/tests]#3049
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/tests/0-1783348147

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 5 packages upgraded (MINOR changes included)

Manifests changed:

  • grpc_check/tests (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
google.golang.org/grpc v1.48.0 v1.82.0 minor Direct 3 CRITICAL, 2 HIGH
golang.org/x/net v0.0.0-20201021035429-f5854403a974 v0.56.0 minor Transitive 18 HIGH, 21 MEDIUM, 7 UNKNOWN
golang.org/x/text v0.3.3 v0.38.0 minor Transitive 6 HIGH
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 v0.46.0 minor Transitive 3 MEDIUM, 1 UNKNOWN
google.golang.org/protobuf v1.27.1 v1.36.11 minor Transitive 2 MEDIUM

Security Details

🚨 Critical & High Severity (29 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.48.0 1.79.3 -
google.golang.org/grpc CVE-2026-33186 critical gRPC-Go has an authorization bypass via missing leading slash in :path v1.48.0 - -
google.golang.org/grpc GO-2026-4762 critical Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.48.0 1.79.3 -
golang.org/x/net GO-2023-1571 high Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net v0.0.0-20201021035429-f5854403a974 0.7.0 -
golang.org/x/net CVE-2023-44487 high This package is related to CVE CVE-2023-44487 which was detected by cisa.gov as actively being exploited in the wild v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net CVE-2021-44716 high - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GO-2022-0288 high Unbounded memory growth in net/http and golang.org/x/net/http2 v0.0.0-20201021035429-f5854403a974 0.0.0-20211209124913-491a49abca63 -
golang.org/x/net GHSA-83g2-8m93-v3w7 HIGH golang.org/x/net/html Infinite Loop vulnerability v0.0.0-20201021035429-f5854403a974 0.0.0-20210520170846-37e1c6afe023 -
golang.org/x/net CVE-2021-33194 HIGH - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GO-2024-3333 HIGH Non-linear parsing of case-insensitive content in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.33.0 -
golang.org/x/net GHSA-w32m-9786-jp63 HIGH Non-linear parsing of case-insensitive content in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GHSA-vvpx-j8f3-3w6h HIGH golang.org/x/net vulnerable to Uncontrolled Resource Consumption v0.0.0-20201021035429-f5854403a974 0.7.0 -
golang.org/x/net GO-2021-0238 HIGH Infinite loop when parsing inputs in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.0.0-20210520170846-37e1c6afe023 -
golang.org/x/net GO-2023-2102 HIGH HTTP/2 rapid reset can cause excessive work in net/http v0.0.0-20201021035429-f5854403a974 0.17.0 -
golang.org/x/net CVE-2022-41723 high - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GO-2022-0969 high Denial of service in net/http and golang.org/x/net/http2 v0.0.0-20201021035429-f5854403a974 0.0.0-20220906165146-f3363e06e74c -
golang.org/x/net CVE-2022-27664 high - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GHSA-69cg-p879-7622 HIGH golang.org/x/net/http2 Denial of Service vulnerability v0.0.0-20201021035429-f5854403a974 0.0.0-20220906165146-f3363e06e74c -
golang.org/x/net GHSA-vc3p-29h2-gpcp HIGH golang.org/x/net/http2 allows uncontrolled memory consumption v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GHSA-4374-p667-p6c8 HIGH HTTP/2 rapid reset can cause excessive work in net/http v0.0.0-20201021035429-f5854403a974 0.17.0 -
golang.org/x/net CVE-2023-39325 HIGH - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/text GO-2022-1059 high Denial of service via crafted Accept-Language header in golang.org/x/text/language v0.3.3 0.3.8 -
golang.org/x/text GHSA-69ch-w2m2-3vjp HIGH golang.org/x/text/language Denial of service via crafted Accept-Language header v0.3.3 0.3.8 -
golang.org/x/text CVE-2022-32149 high - v0.3.3 - -
golang.org/x/text GO-2021-0113 high Out-of-bounds read in golang.org/x/text/language v0.3.3 0.3.7 -
golang.org/x/text CVE-2021-38561 high - v0.3.3 - -
golang.org/x/text GHSA-ppp9-7jff-5vj2 HIGH golang.org/x/text/language Out-of-bounds Read vulnerability v0.3.3 0.3.7 -
google.golang.org/grpc GHSA-m425-mq94-257g HIGH gRPC-Go HTTP/2 Rapid Reset vulnerability v1.48.0 1.56.3 -
google.golang.org/grpc GO-2023-2153 HIGH Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc v1.48.0 1.56.3 -
ℹ️ Other Vulnerabilities (34)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/net CVE-2022-41717 medium - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GO-2022-1144 medium Excessive memory growth in net/http and golang.org/x/net/http2 v0.0.0-20201021035429-f5854403a974 0.4.0 -
golang.org/x/net CVE-2021-31525 medium - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GO-2022-0236 medium Panic due to large headers in net/http and golang.org/x/net/http/httpguts v0.0.0-20201021035429-f5854403a974 0.0.0-20210428140749-89ef3d95e781 -
golang.org/x/sys CVE-2022-29526 medium - v0.0.0-20210119212857-b64e53b001e4 - -
golang.org/x/sys GO-2022-0493 medium Incorrect privilege reporting in syscall and golang.org/x/sys/unix v0.0.0-20210119212857-b64e53b001e4 0.0.0-20220412211240-33da011f77ad -
golang.org/x/net GO-2023-1988 MODERATE Improper rendering of text nodes in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.13.0 -
golang.org/x/net GHSA-vvgc-356p-c3xw MODERATE golang.org/x/net vulnerable to Cross-site Scripting v0.0.0-20201021035429-f5854403a974 0.38.0 -
golang.org/x/net GHSA-qppj-fm5r-hxr3 MODERATE HTTP/2 Stream Cancellation Attack v0.0.0-20201021035429-f5854403a974 0.17.0 -
golang.org/x/net GO-2025-3503 MODERATE HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net v0.0.0-20201021035429-f5854403a974 0.36.0 -
golang.org/x/net GHSA-qxp5-gwg8-xv66 MODERATE HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net v0.0.0-20201021035429-f5854403a974 0.36.0 -
golang.org/x/net GHSA-xrjj-mj9h-534m MODERATE golang.org/x/net/http2 vulnerable to possible excessive memory growth v0.0.0-20201021035429-f5854403a974 0.4.0 -
golang.org/x/net CVE-2023-44487 MODERATE - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GHSA-4v7x-pqxf-cx7m MODERATE net/http, x/net/http2: close connections when receiving too many headers v0.0.0-20201021035429-f5854403a974 0.23.0 -
golang.org/x/net GHSA-h86h-8ppg-mxmh MODERATE golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion v0.0.0-20201021035429-f5854403a974 0.0.0-20210428140749-89ef3d95e781 -
golang.org/x/net GO-2026-5028 MODERATE Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.55.0 -
golang.org/x/net GO-2024-2687 MODERATE HTTP/2 CONTINUATION flood in net/http v0.0.0-20201021035429-f5854403a974 0.23.0 -
golang.org/x/net GHSA-5cv4-jp36-h3mw MODERATE Go Net HTML parser is vulnerable to denial of service v0.0.0-20201021035429-f5854403a974 0.55.0 -
golang.org/x/net GO-2025-3595 MODERATE Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net v0.0.0-20201021035429-f5854403a974 0.38.0 -
golang.org/x/net CVE-2023-3978 MODERATE - v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/net GO-2026-4440 MODERATE Quadratic parsing complexity in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.45.0 -
golang.org/x/net GHSA-2wrh-6pvc-2jm9 MODERATE Improper rendering of text nodes in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.13.0 -
golang.org/x/net GHSA-w4gw-w5jq-g9jh MODERATE golang.org/x/net/html has a Quadratic Parsing Complexity issue v0.0.0-20201021035429-f5854403a974 - -
golang.org/x/sys GHSA-p782-xgp4-8hr8 MODERATE golang.org/x/sys/unix has Incorrect privilege reporting in syscall v0.0.0-20210119212857-b64e53b001e4 0.0.0-20220412211240-33da011f77ad -
google.golang.org/protobuf GHSA-8r3f-844c-mc37 MODERATE Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON v1.27.1 1.33.0 -
google.golang.org/protobuf GO-2024-2611 MODERATE Infinite loop in JSON unmarshaling in google.golang.org/protobuf v1.27.1 1.33.0 -
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.55.0 -
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.55.0 -
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.0.0-20201021035429-f5854403a974 0.55.0 -
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.0.0-20201021035429-f5854403a974 0.53.0 -
golang.org/x/net GO-2026-4441 unknown Infinite parsing loop in golang.org/x/net v0.0.0-20201021035429-f5854403a974 0.45.0 -
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.55.0 -
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.0.0-20201021035429-f5854403a974 0.55.0 -
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.0.0-20210119212857-b64e53b001e4 0.44.0 -
⚠️ Dependencies that have Reached EOL (5)
Dependency Unsafe Version EOL Date New Version Path
golang.org/x/net v0.0.0-20201021035429-f5854403a974 - v0.56.0 grpc_check/tests/docker/go.mod
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 - v0.46.0 grpc_check/tests/docker/go.mod
golang.org/x/text v0.3.3 - v0.38.0 grpc_check/tests/docker/go.mod
google.golang.org/grpc v1.48.0 Jul 12, 2025 v1.82.0 grpc_check/tests/docker/go.mod
google.golang.org/protobuf v1.27.1 - v1.36.11 grpc_check/tests/docker/go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants