CVE-2025-47911
Unknown Unknown - Not Provided
Quadratic Complexity DoS in golang.org/x/net/html Parse Function

Publication date: 2026-02-05

Last updated on: 2026-02-18

Assigner: Go Project

Description
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-47911
EUVD
EUVD-2025-206856
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
go html to 0.45.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-47911 is a vulnerability in the Go package golang.org/x/net/html, specifically in the html.Parse function and related parsing functions. The issue arises because the parser has quadratic parsing complexity when processing certain specially crafted HTML inputs. This means that the time and resources required to parse these inputs increase disproportionately as the input size grows, leading to very slow performance or the parser potentially never returning.

An attacker can exploit this by providing maliciously crafted HTML content that triggers this inefficient parsing behavior, causing a denial of service (DoS) by exhausting system resources.

Impact Analysis

This vulnerability can impact you by causing denial of service (DoS) conditions in applications that use the affected Go HTML parsing package to process untrusted or external HTML content.

  • The parser may consume excessive CPU and memory resources due to quadratic complexity, slowing down or halting the application.
  • In worst cases, the parser may never return, effectively causing the application to hang or crash.
  • This can disrupt services relying on HTML parsing, degrade user experience, and potentially lead to system instability.
Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from the html.Parse function in golang.org/x/net/html exhibiting quadratic parsing complexity when processing certain specially crafted HTML inputs, leading to denial of service (DoS). Detection would involve monitoring for unusually high CPU or memory usage during HTML parsing or identifying the presence of the vulnerable package version before v0.45.0.

There are no specific commands provided in the available resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

To mitigate this vulnerability, upgrade the golang.org/x/net/html package to version v0.45.0 or later, where the issue has been fixed.

The fix includes introducing a depth limit of 512 nested HTML tags to prevent excessive processing time and infinite loops during parsing of untrusted HTML documents.

Avoid parsing untrusted or maliciously crafted HTML content with vulnerable versions of the package until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-47911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart