CVE-2025-47911
Quadratic Complexity DoS in golang.org/x/net/html Parse Function
Publication date: 2026-02-05
Last updated on: 2026-02-18
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go | html | to 0.45.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-47911 is a vulnerability in the Go package golang.org/x/net/html, specifically in the html.Parse function and related parsing functions. The issue arises because the parser has quadratic parsing complexity when processing certain specially crafted HTML inputs. This means that the time and resources required to parse these inputs increase disproportionately as the input size grows, leading to very slow performance or the parser potentially never returning.
An attacker can exploit this by providing maliciously crafted HTML content that triggers this inefficient parsing behavior, causing a denial of service (DoS) by exhausting system resources.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service (DoS) conditions in applications that use the affected Go HTML parsing package to process untrusted or external HTML content.
- The parser may consume excessive CPU and memory resources due to quadratic complexity, slowing down or halting the application.
- In worst cases, the parser may never return, effectively causing the application to hang or crash.
- This can disrupt services relying on HTML parsing, degrade user experience, and potentially lead to system instability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the html.Parse function in golang.org/x/net/html exhibiting quadratic parsing complexity when processing certain specially crafted HTML inputs, leading to denial of service (DoS). Detection would involve monitoring for unusually high CPU or memory usage during HTML parsing or identifying the presence of the vulnerable package version before v0.45.0.
There are no specific commands provided in the available resources to detect this vulnerability directly on a network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the golang.org/x/net/html package to version v0.45.0 or later, where the issue has been fixed.
The fix includes introducing a depth limit of 512 nested HTML tags to prevent excessive processing time and infinite loops during parsing of untrusted HTML documents.
Avoid parsing untrusted or maliciously crafted HTML content with vulnerable versions of the package until the update is applied.