[Bug]: Security Vulnerability: Go Package: golang.org/x/net <= 0.44.0 - Multiple Remote Denial of Service Vulnerabilities - 0.45.0

_**Important Note:  NVIDIA AI Enterprise customers can get support from NVIDIA Enterprise support. Please open a case [here](https://enterprise-support.nvidia.com/s/create-case)**._

**Describe the bug**
golang.org/x/net package used in the latest version <= 0.44.0,
Description:

The parser implements the HTML specification, which contains a number of algorithms which are quadratic in complexity by design. This causes the processing time to scale non-linearly with respect to the size of the input for some HTML documents. We have imposed a depth limit of 512 for nested HTML tags, which should be high enough for the vast majority of valid HTML documents, to address this. [CVE-2025-47911] 2) The parser also misimplemented a portion of the HTML specification for table related tags. This could cause the parser to enter an infinite loop when encountering specific combinations of tags. [CVE-2025-58190] Vendor Affected Components: Go Package: golang.org/x/net: < 0.45.0

**To Reproduce**
Scan the image, or Please find the snippet attached.

<img width="1583" height="622" alt="Image" src="https://github.com/user-attachments/assets/c8f562d0-b644-4849-bd22-8947843d4711" />

**Expected behavior**
Update Go Package: golang.org/x/net to version 0.45.0 or later.

**Environment (please provide the following information):**
 - GPU Operator Version: [e.g. v25.3.0] NA
 - OS: [e.g. Ubuntu24.04] NA
 - Kernel Version: [e.g. 6.8.0-generic] NA
 - Container Runtime Version: [e.g. containerd 2.0.0] NA
 - Kubernetes Distro and Version: [e.g. K8s, OpenShift, Rancher, GKE, EKS] NA



**Information to [attach](https://help.github.com/articles/file-attachments-on-issues-and-pull-requests/)** (optional if deemed irrelevant): NA

 - [ ] kubernetes pods status: `kubectl get pods -n OPERATOR_NAMESPACE`
 - [ ] kubernetes daemonset status: `kubectl get ds -n OPERATOR_NAMESPACE`
 - [ ] If a pod/ds is in an error state or pending state `kubectl describe pod -n OPERATOR_NAMESPACE POD_NAME`
 - [ ] If a pod/ds is in an error state or pending state `kubectl logs -n OPERATOR_NAMESPACE POD_NAME --all-containers`
 - [ ] Output from running `nvidia-smi` from the driver container: `kubectl exec DRIVER_POD_NAME -n OPERATOR_NAMESPACE -c nvidia-driver-ctr -- nvidia-smi`
 - [ ] containerd logs `journalctl -u containerd > containerd.log`


Collecting full debug bundle (optional): NA

```
curl -o must-gather.sh -L https://raw.githubusercontent.com/NVIDIA/gpu-operator/main/hack/must-gather.sh
chmod +x must-gather.sh
./must-gather.sh
```
**NOTE**: please refer to the [must-gather](https://raw.githubusercontent.com/NVIDIA/gpu-operator/main/hack/must-gather.sh) script for debug data collected.

This bundle can be submitted to us via email: **operator_feedback@nvidia.com**


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: Security Vulnerability: Go Package: golang.org/x/net <= 0.44.0 - Multiple Remote Denial of Service Vulnerabilities - 0.45.0 #2102

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug]: Security Vulnerability: Go Package: golang.org/x/net <= 0.44.0 - Multiple Remote Denial of Service Vulnerabilities - 0.45.0 #2102

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions