Hello gophers, We have tagged version v0.45.0 of golang.org/x/net in order to address two security issues.
This version fixes two vulnerabilities in the golang.org/x/net/html package which could result in calls to Parse (and associated functions) executing unexpectedly slowly relative to the size of the input or never returning when encountering specific inputs. These vulnerabilities affect programs which parse untrusted HTML documents. The parser implements the HTML specification, which contains a number of algorithms which are quadratic in complexity by design. This causes the processing time to scale non-linearly with respect to the size of the input for some HTML documents. We have imposed a depth limit of 512 for nested HTML tags, which should be high enough for the vast majority of valid HTML documents, to address this. Thanks to Jakub Guido Vranken and Jakub Ciolek for both independently reporting this issue. This is CVE-2025-47911 and Go issue https://go.dev/issue/75682. The parser also misimplemented a portion of the HTML specification for table related tags. This could cause the parser to enter an infinite loop when encountering specific combinations of tags. Thanks to Guido Vranken for reporting this issue. This is CVE-2025-58190 and Go issue https://go.dev/issue/70179. Cheers, Go Security team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CADAOFNSVByyOH53aneF5B5wD%3DR%3DX78XD%3Dbaw2osLBmXz_U_y4w%40mail.gmail.com.
