CVE-2025-58190
Infinite Loop DoS in golang.org/x/net/html Parse Function
Publication date: 2026-02-05
Last updated on: 2026-02-18
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go | html | to 0.45.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the golang.org/x/net/html package causing an infinite parsing loop, you should upgrade the package to version v0.45.0 or later where the issue is fixed.
Avoid processing untrusted or specially crafted HTML inputs with vulnerable versions of the package until the upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
The vulnerability CVE-2025-58190 affects the html.Parse function in the golang.org/x/net/html package. When processing certain specially crafted HTML inputs, the function can enter an infinite parsing loop.
This infinite loop occurs because the parser does not handle some inputs correctly, causing it to never complete parsing.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by providing specially crafted HTML content that triggers the infinite parsing loop.
This leads to a denial of service (DoS) condition, where the application using the vulnerable html.Parse function becomes unresponsive or consumes excessive resources.