Vulnerabilities in golang.org/x/net
45 views
Skip to first unread message
Roland Shoemaker
Oct 7, 2025, 4:10:43 PM (12 hours ago) Oct 7
to golang-...@googlegroups.com
Hello gophers,
We have tagged version v0.45.0 of golang.org/x/net in order to address two
security issues.
This version fixes two vulnerabilities in the golang.org/x/net/html package
which could result in calls to Parse (and associated functions) executing
unexpectedly slowly relative to the size of the input or never returning when
encountering specific inputs.
These vulnerabilities affect programs which parse untrusted HTML documents.
The parser implements the HTML specification, which contains a number of
algorithms which are quadratic in complexity by design. This causes the
processing time to scale non-linearly with respect to the size of the input for
some HTML documents. We have imposed a depth limit of 512 for nested HTML tags,
which should be high enough for the vast majority of valid HTML documents, to
address this.
Thanks to Jakub Guido Vranken and Jakub Ciolek for both independently reporting
this issue.
This is CVE-2025-47911 and Go issue https://go.dev/issue/75682.
The parser also misimplemented a portion of the HTML specification for table
related tags. This could cause the parser to enter an infinite loop when
encountering specific combinations of tags.
Thanks to Guido Vranken for reporting this issue.
This is CVE-2025-58190 and Go issue https://go.dev/issue/70179.
Cheers,
Go Security team
We have tagged version v0.45.0 of golang.org/x/net in order to address two
security issues.
This version fixes two vulnerabilities in the golang.org/x/net/html package
which could result in calls to Parse (and associated functions) executing
unexpectedly slowly relative to the size of the input or never returning when
encountering specific inputs.
These vulnerabilities affect programs which parse untrusted HTML documents.
The parser implements the HTML specification, which contains a number of
algorithms which are quadratic in complexity by design. This causes the
processing time to scale non-linearly with respect to the size of the input for
some HTML documents. We have imposed a depth limit of 512 for nested HTML tags,
which should be high enough for the vast majority of valid HTML documents, to
address this.
Thanks to Jakub Guido Vranken and Jakub Ciolek for both independently reporting
this issue.
This is CVE-2025-47911 and Go issue https://go.dev/issue/75682.
The parser also misimplemented a portion of the HTML specification for table
related tags. This could cause the parser to enter an infinite loop when
encountering specific combinations of tags.
Thanks to Guido Vranken for reporting this issue.
This is CVE-2025-58190 and Go issue https://go.dev/issue/70179.
Cheers,
Go Security team
Reply all
Reply to author
Forward
0 new messages