chore(deps): update module golang.org/x/net to v0.38.0 [security] - failed

[dominikholler]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/net	v0.33.0 -> v0.38.0

Release note

Update dependecy golang.org/x/net to v0.38.0

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

• https://go.dev/cl/654697
• https://go.dev/issue/71984

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22870
• https://go-review.googlesource.com/q/project:net
• https://go.dev/cl/654697
• https://go.dev/issue/71984
• https://pkg.go.dev/vuln/GO-2025-3503
• https://security.netapp.com/advisory/ntap-20250509-0007
• http://www.openwall.com/lists/oss-security/2025/03/07/2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

Unknown

References

• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22872
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
• https://pkg.go.dev/vuln/GO-2025-3595
• https://security.netapp.com/advisory/ntap-20250516-0007

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[kvrenovatebot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Command failed: DOCKER=0 make bazel-generate
Loading: 
Loading: 0 packages loaded
Analyzing: target //:gazelle (0 packages loaded, 0 targets configured)
INFO: Analyzed target //:gazelle (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
[0 / 1] [Prepa] BazelWorkspaceStatusAction stable-status.txt
Target //:gazelle up-to-date:
  bazel-bin/gazelle-runner.bash
  bazel-bin/gazelle
INFO: Elapsed time: 0.241s, Critical Path: 0.08s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Running command line: bazel-bin/gazelle staging/src pkg/ tools/ tests/ cmd/ vendor/
INFO: Build completed successfully, 1 total action
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/aio_buffer.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/aio_buffer.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/bindings.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/bindings.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/closures.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/closures.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/handle.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/handle.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/wrappers.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/wrappers.go: pkg-config not supported: #cgo pkg-config: libnbd
Loading: 
Loading: 0 packages loaded
Analyzing: target @com_github_bazelbuild_buildtools//buildozer:buildozer (0 packages loaded, 0 targets configured)
INFO: Analyzed target @com_github_bazelbuild_buildtools//buildozer:buildozer (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
[0 / 2] [Prepa] BazelWorkspaceStatusAction stable-status.txt
Target @com_github_bazelbuild_buildtools//buildozer:buildozer up-to-date:
  bazel-bin/external/com_github_bazelbuild_buildtools/buildozer/buildozer_/buildozer
INFO: Elapsed time: 0.365s, Critical Path: 0.13s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Running command line: bazel-bin/external/com_github_bazelbuild_buildtools/buildozer/buildozer_/buildozer 'add clinkopts -lnbd' ///home/ubuntu/go/src/kubevirt.io/containerized-data-importer/vendor/libguestfs.org/libnbd/:go_default_library
INFO: Build completed successfully, 1 total action
/home/ubuntu/go/src/kubevirt.io/containerized-data-importer/vendor/libguestfs.org/libnbd/BUILD: file not found or not readable
make: *** [Makefile:168: bazel-generate] Error 2

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign aglitke for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

@dominikholler: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cdi-unit-test-s390x	4ca2c90	link	false	/test pull-cdi-unit-test-s390x
pull-cdi-goveralls	4ca2c90	link	false	/test pull-cdi-goveralls
pull-cdi-unit-test	4ca2c90	link	true	/test pull-cdi-unit-test
pull-cdi-apidocs	4ca2c90	link	true	/test pull-cdi-apidocs
pull-cdi-generate-verify	4ca2c90	link	true	/test pull-cdi-generate-verify
pull-containerized-data-importer-fossa	4ca2c90	link	true	/test pull-containerized-data-importer-fossa
pull-containerized-data-importer-e2e-nfs	4ca2c90	link	true	/test pull-containerized-data-importer-e2e-nfs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.