Skip to main content

golang.org/x/net/html CVE-2026-25680

| EUVDEUVD-2026-31447 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-22 Go GHSA-5cv4-jp36-h3mw
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 18:00 vuln.today
CVSS changed
May 29, 2026 - 15:52 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
May 22, 2026 - 15:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

AnalysisAI

Excessive CPU consumption in the golang.org/x/net/html package's HTML parser allows remote attackers to cause denial of service by supplying crafted HTML input to any Go application that parses untrusted markup using this library. All versions before 0.55.0 are confirmed affected per EUVD-2026-31447 and the Go vulnerability database (GO-2026-5028). No active exploitation has been identified - CISA SSVC rates exploitation as 'none' and the EPSS score of 0.04% (13th percentile) indicates very low observed exploitation probability at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption), meaning the HTML parser in golang.org/x/net/html does not impose adequate processing limits when handling certain HTML constructs, allowing a single malicious document to consume disproportionate CPU time. The affected component is the golang.org/x/net/html package (CPE: cpe:2.3:a:golang.org/x/net:golang.org/x/net/html:*:*:*:*:*:*:*:*), an extended networking and markup library maintained by the Go team, widely depended upon throughout the Go ecosystem. The fix is tracked upstream as Go change list CL/781702 (https://go.dev/cl/781702) and documented as issue #79573 (https://go.dev/issue/79573), suggesting the root cause involves a specific HTML input pattern that triggers pathological parser behavior - likely a quadratic or exponential complexity edge case in the parsing algorithm.

RemediationAI

Upgrade golang.org/x/net to version 0.55.0 or later, which incorporates the upstream fix from Go change CL/781702 (https://go.dev/cl/781702). This is a module-level dependency update: run 'go get golang.org/x/net@v0.55.0' and 'go mod tidy' to update go.mod and go.sum. Consult the Go vulnerability advisory at https://pkg.go.dev/vuln/GO-2026-5028 and the golang-announce group post at https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 for official guidance. If an immediate upgrade is not feasible, a compensating control is to enforce upstream input size limits (e.g., limit HTTP request body size or HTML document length via middleware) before the content reaches the html.Parse call - this trades some functionality for resource protection but does not eliminate the vulnerability. Dependency scanning tools (govulncheck) can confirm whether the affected package version is reachable in a given binary.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed

Share

CVE-2026-25680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy