Bug Report: Transitive Vulnerability via golang.org/x/net — Please Upgrade to v0.41.0

[ShivaliBandi]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

We are currently using github.com/gorilla/websocket version v1.5.2, which includes a transitive dependency on golang.org/x/net version v0.28.0.

During a security audit using Black Duck, a critical vulnerability was flagged in this transitive dependency. The issue relates to improper handling of IPv6 zone identifiers in the x/net/proxy and x/net/http/httpproxy modules. This flaw may allow attackers to bypass proxy configurations, posing a serious security risk.

To resolve this, we recommend updating golang.org/x/net to at least v0.41.0, which includes the necessary security patches.

Since this module is pulled in transitively through gorilla/websocket, we are unable to directly enforce this upgrade unless upstream dependencies are updated accordingly.

Please consider updating the dependency or providing guidance on a safe upgrade path.

Let us know if you need help validating or testing this change.

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

Update the go.mod in your module to require a version >= v0.41.0

 require golang.org/x/net v0.41.0 

[kerchsandra]

Aktualisieren Sie go.mod in Ihrem Modul, um eine Version >= v0.41.0 anzufordern

 require golang.org/x/net v0.41.0 

require golang.org/x/net v0.41.0