[security] Vulnerabilities in golang.org/x/net

53 views

Skip to first unread message

anno...@golang.org

unread,

May 21, 2026, 10:24:11 PM (19 hours ago) May 21

to golan...@googlegroups.com

Hello gophers,

We have tagged version v0.55.0 of golang.org/x/net in order to address the following security issues:

html: incorrect handling of namespaced elements in foreign content

The HTML parser mishandled certain namespaced elements in foreign content,
causing them to be incorrectly rendered. This can lead to XSS when rendering
parsed HTML.

Thanks to ensy for reporting this issue.

This is CVE-2026-42506 and Go issue https://go.dev/issue/79571.

x/net/idna: failure to reject ASCII-only Punycode-encoded labels

The ToASCII and ToUnicode functions incorrectly accepted Punycode-encoded labels
that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com")
incorrectly returned the name "example.com" rather than an error.

The idna package implements the processing algorithm from UTS 46.
Older versions of UTS 46 included a specification bug which permitted
multiple ASCII labels to decode to the same Unicode label.
UTS 46 revision 33 fixed the specification bug.
The idna package now implements the updated specification.

This behavior can lead to privilege escalation in programs using the idna package.
For example, a program which performs privilege checks on the ASCII hostname
may reject "example.com" but permit "xn--example-.com". If that program subsequently
converts the ASCII hostname to Unicode, it will inadvertently permits access
to the Unicode name "example.com".

Thanks to KC1zs4 (https://github.com/KC1zs4) for reporting this issue.

This is CVE-2026-39821 and Go issue https://go.dev/issue/78760.

html: incorrect handling of HTML elements in foreign content

The HTML parser mishandled certain HTML elements in foreign content, causing
them to be incorrectly rendered. This can lead to XSS when rendering parsed
HTML.

Thanks to Tristan Madani for reporting this issue.

This is CVE-2026-42502 and Go issue https://go.dev/issue/79572.

html: denial of service when parsing arbitrary HTML

Due to the use of a cubic complexity algorithm during the HTML tree construction
stage, parsing arbitrary HTML can consume excessive CPU time.

Thanks to IPC Labs for reporting this issue.

This is CVE-2026-25680 and Go issue https://go.dev/issue/79573.

html: incorrect handling of character references in DOCTYPE nodes

The HTML parser mishandled character references in DOCTYPE nodes, causing
them to be incorrectly rendered. This can lead to XSS when rendering parsed
HTML.

Thanks to ensy for reporting this issue.

This is CVE-2026-25681 and Go issue https://go.dev/issue/79574.

html: duplicate attributes can cause XSS

The HTML parser did not properly handle multiple duplicate attributes, causing
the parser to misparse certain HTML trees. This can cause XSS when rendering
parsed HTML.

Thanks to ensy for reporting this issue.

This is CVE-2026-27136 and Go issue https://go.dev/issue/79575.

Cheers,
Go Security team

Reply all

Reply to author

Forward

0 new messages