This is a PRIVATE issue for CVE-2025-22868, tracked in http://b/392867809 and fixed by https://go-internal-review.git.corp.google.com/c/oauth2/+/1920.

/cc @golang/security and @golang/release