Skip to content

[Aikido] Fix 8 security issues in x/net, aws/aws-sdk-go-v2/service/s3, aws/aws-sdk-go-v2/aws/protocol/eventstream#36

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-MAINT-1210-MAINT-1209-MAINT-1338-update-packages-51330067-4zde
Open

[Aikido] Fix 8 security issues in x/net, aws/aws-sdk-go-v2/service/s3, aws/aws-sdk-go-v2/aws/protocol/eventstream#36
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-MAINT-1210-MAINT-1209-MAINT-1338-update-packages-51330067-4zde

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 18, 2026

Copy link
Copy Markdown

Upgrade golang.org/x/net, AWS SDK S3, and eventstream to fix critical Punycode validation bypass enabling privilege escalation and DoS vulnerabilities.

✅ 7 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description 
AIKIDO-2026-11039
 
🚨 CRITICAL
 [golang.org/x/net] Punycode validation bypass in idna functions allows ASCII-only labels to be incorrectly accepted, enabling privilege escalation when hostname validation is bypassed through encoded domain names. An attacker could exploit inconsistent validation between encoded and decoded hostnames to circumvent access controls. 
AIKIDO-2026-11036
 
MEDIUM
 [golang.org/x/net] The HTML parser mishandled character references in DOCTYPE nodes, causing them to be incorrectly rendered. This can lead to XSS when rendering parsed HTML. 
AIKIDO-2026-11035
 
MEDIUM
 [golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. 
AIKIDO-2026-11038
 
MEDIUM
 [golang.org/x/net] The HTML parser mishandled certain HTML elements in foreign content, causing them to be incorrectly rendered. This can lead to XSS when rendering parsed HTML. 
AIKIDO-2026-11040
 
MEDIUM
 [golang.org/x/net] Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. 
AIKIDO-2026-11037
 
LOW
 [golang.org/x/net] Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. 
GHSA-xmrv-pmrh-hhx2
 
MEDIUM
 [github.com/aws/aws-sdk-go-v2/service/s3] The EventStream header decoder fails to validate header value type bytes, allowing a remote attacker to send malformed frames with crafted values that cause process termination (DoS). This vulnerability affects services using EventStream responses over the network.
🔗 Related Tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants