Dependency vulnerability alerts for Go (advisory; requires confirmation).
# Go security dependency alerts Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files. Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades. ### CVE-2024-24790 — Go net/netip IPv4-mapped IPv6 misclassification — SSRF bypass Context: IPv4-mapped IPv6 addresses can bypass IP allowlist checks and access internal resources via SSRF. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-24790 WHEN you detect `go` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-24790: go may be vulnerable. IPv4-mapped IPv6 addresses can bypass IP allowlist checks and access internal resources via SSRF. Patched versions: go >=1.22.4 CHECK for dependency conflicts before proposing any upgrade: Run: `go mod why -m go` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2023-39325 — Go HTTP/2 rapid reset DoS Context: HTTP/2 servers can be overwhelmed by rapid stream resets, exhausting resources and causing denial of service. Actively exploited in the wild. Source: https://nvd.nist.gov/vuln/detail/CVE-2023-39325 WHEN you detect `golang.org/x/net` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2023-39325: golang.org/x/net may be vulnerable. HTTP/2 servers can be overwhelmed by rapid stream resets, exhausting resources and causing denial of service. Actively exploited in the wild. Patched versions: golang.org/x/net >=0.17.0 CHECK for dependency conflicts before proposing any upgrade: Run: `go mod why -m golang.org/x/net` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade ---
# Go security dependency alerts Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files. Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades. ### CVE-2024-24790 — Go net/netip IPv4-mapped IPv6 misclassification — SSRF bypass Context: IPv4-mapped IPv6 addresses can bypass IP allowlist checks and access internal resources via SSRF. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-24790 WHEN you detect `go` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-24790: go may be vulnerable. IPv4-mapped IPv6 addresses can bypass IP allowlist checks and access internal resources via SSRF. Patched versions: go >=1.22.4 CHECK for dependency conflicts before proposing any upgrade: Run: `go mod why -m go` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2023-39325 — Go HTTP/2 rapid reset DoS Context: HTTP/2 servers can be overwhelmed by rapid stream resets, exhausting resources and causing denial of service. Actively exploited in the wild. Source: https://nvd.nist.gov/vuln/detail/CVE-2023-39325 WHEN you detect `golang.org/x/net` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2023-39325: golang.org/x/net may be vulnerable. HTTP/2 servers can be overwhelmed by rapid stream resets, exhausting resources and causing denial of service. Actively exploited in the wild. Patched versions: golang.org/x/net >=0.17.0 CHECK for dependency conflicts before proposing any upgrade: Run: `go mod why -m golang.org/x/net` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade ---