GHSA-5cv4-jp36-h3mwMediumCVSS 6.5
Go Net HTML parser is vulnerable to denial of service
🔗 CVE IDs covered (1)
📋 Description
In Go Net (golang.org/x/net) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
🎯 Affected products1
- go/golang.org/x/net:< 0.55.0
🔗 References (8)
- https://nvd.nist.gov/vuln/detail/CVE-2026-25680
- https://go.dev/cl/781702
- https://go.dev/issue/79573
- https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
- https://pkg.go.dev/vuln/GO-2026-5028
- https://go.googlesource.com/net/+/08be507abce89191d78cd49da60f4501fc910472
- https://go.googlesource.com/net/+/refs/tags/v0.55.0
- https://github.com/advisories/GHSA-5cv4-jp36-h3mw