[security] Vulnerability in golang.org/x/net/html

1,582 views
Skip to first unread message

Filippo Valsorda

unread,
May 20, 2021, 1:24:58 PM5/20/21
to golang-nuts, golang-...@googlegroups.com, golang-dev
Hello gophers,

Version v0.0.0-20210520170846-37e1c6afe023 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service.

An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return.

This issue was discovered by OSS-Fuzz and reported to us by Andrew Thornton <ar...@cantab.net>, and is tracked as CVE-2021-33194.

Cheers,
Filippo on behalf of the Go team
Reply all
Reply to author
Forward
0 new messages