Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

[security] Vulnerability in golang.org/x/net

420 views
Skip to first unread message

anno...@golang.org

unread,
Mar 27, 2025, 4:00:23 PMMar 27
to golan...@googlegroups.com

Hello gophers,

We have tagged version v0.38.0 of golang.org/x/net in order to address a security issue.

This version fixes a vulnerability in the golang.org/x/net/html package which could result in the tokenizer emitting incorrect tokens and the parser producing an incorrect HTML DOM.

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing, which could result in content following the tag being placed in the wrong scope during DOM construction.

This may affect any tags when using Tokenizer, but will only affects tags inside foreign content contexts when using Parse (along with ParseFragment, ParseFragmentWithOption, and ParseWithOptions).

Thanks to Sean Ng (https://ensy.zip) for reporting this issue.

This is CVE-2025-22872 and Go issue https://go.dev/issue/73070.

Cheers,
Go Security team

Reply all
Reply to author
Forward
0 new messages