CVE-2025-47911
Unknown Unknown - Not Provided

Quadratic Complexity DoS in golang.org/x/net/html Parse Function

Vulnerability report for CVE-2025-47911, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-05

Last updated on: 2026-02-18

Assigner: Go Project

Description

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-05
Last Modified
2026-02-18
Generated
2026-07-06
AI Q&A
2026-02-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
go html to 0.45.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-47911 is a vulnerability in the Go package golang.org/x/net/html, specifically in the html.Parse function and related parsing functions. The issue arises because the parser has quadratic parsing complexity when processing certain specially crafted HTML inputs. This means that the time and resources required to parse these inputs increase disproportionately as the input size grows, leading to very slow performance or the parser potentially never returning.

An attacker can exploit this by providing maliciously crafted HTML content that triggers this inefficient parsing behavior, causing a denial of service (DoS) by exhausting system resources.

Impact Analysis

This vulnerability can impact you by causing denial of service (DoS) conditions in applications that use the affected Go HTML parsing package to process untrusted or external HTML content.

  • The parser may consume excessive CPU and memory resources due to quadratic complexity, slowing down or halting the application.
  • In worst cases, the parser may never return, effectively causing the application to hang or crash.
  • This can disrupt services relying on HTML parsing, degrade user experience, and potentially lead to system instability.
Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from the html.Parse function in golang.org/x/net/html exhibiting quadratic parsing complexity when processing certain specially crafted HTML inputs, leading to denial of service (DoS). Detection would involve monitoring for unusually high CPU or memory usage during HTML parsing or identifying the presence of the vulnerable package version before v0.45.0.

There are no specific commands provided in the available resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

To mitigate this vulnerability, upgrade the golang.org/x/net/html package to version v0.45.0 or later, where the issue has been fixed.

The fix includes introducing a depth limit of 512 nested HTML tags to prevent excessive processing time and infinite loops during parsing of untrusted HTML documents.

Avoid parsing untrusted or maliciously crafted HTML content with vulnerable versions of the package until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-47911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart