MEDIUM 6.5
GHSA-5cv4-jp36-h3mw
Go Net HTML parser is vulnerable to denial of service
Details
In Go Net (`golang.org/x/net`) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-25680 [ADVISORY]
- https://go.dev/cl/781702 [WEB]
- https://go.dev/issue/79573 [WEB]
- https://go.googlesource.com/net/+/08be507abce89191d78cd49da60f4501fc910472 [WEB]
- https://go.googlesource.com/net/+/refs/tags/v0.55.0 [WEB]
- https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 [WEB]
- https://pkg.go.dev/vuln/GO-2026-5028 [WEB]
- cs.opensource.google/go/x/net [PACKAGE]