Is there an existing issue for this?
Current Behavior
We are currently using github.com/gorilla/websocket version v1.5.2, which includes a transitive dependency on golang.org/x/net version v0.28.0.
During a security audit using Black Duck, a critical vulnerability was flagged in this transitive dependency. The issue relates to improper handling of IPv6 zone identifiers in the x/net/proxy and x/net/http/httpproxy modules. This flaw may allow attackers to bypass proxy configurations, posing a serious security risk.
To resolve this, we recommend updating golang.org/x/net to at least v0.41.0, which includes the necessary security patches.
Since this module is pulled in transitively through gorilla/websocket, we are unable to directly enforce this upgrade unless upstream dependencies are updated accordingly.
Please consider updating the dependency or providing guidance on a safe upgrade path.
Let us know if you need help validating or testing this change.
Expected Behavior
No response
Steps To Reproduce
No response
Anything else?
No response
Is there an existing issue for this?
Current Behavior
We are currently using github.com/gorilla/websocket version v1.5.2, which includes a transitive dependency on golang.org/x/net version v0.28.0.
During a security audit using Black Duck, a critical vulnerability was flagged in this transitive dependency. The issue relates to improper handling of IPv6 zone identifiers in the x/net/proxy and x/net/http/httpproxy modules. This flaw may allow attackers to bypass proxy configurations, posing a serious security risk.
To resolve this, we recommend updating golang.org/x/net to at least v0.41.0, which includes the necessary security patches.
Since this module is pulled in transitively through gorilla/websocket, we are unable to directly enforce this upgrade unless upstream dependencies are updated accordingly.
Please consider updating the dependency or providing guidance on a safe upgrade path.
Let us know if you need help validating or testing this change.
Expected Behavior
No response
Steps To Reproduce
No response
Anything else?
No response