A question only tangentially related to these CVE's. Why hasn't the Go vulnerability database been updated to include these CVE's? AFAICT no CVE's have been added there since September 24th.
On Tuesday, October 7, 2025 at 4:10:43 PM UTC-4 Roland Shoemaker wrote: > Hello gophers, > > We have tagged version v0.45.0 of golang.org/x/net in order to address two > security issues. > > This version fixes two vulnerabilities in the golang.org/x/net/html > package > which could result in calls to Parse (and associated functions) executing > unexpectedly slowly relative to the size of the input or never returning > when > encountering specific inputs. > > These vulnerabilities affect programs which parse untrusted HTML documents. > > The parser implements the HTML specification, which contains a number of > algorithms which are quadratic in complexity by design. This causes the > processing time to scale non-linearly with respect to the size of the > input for > some HTML documents. We have imposed a depth limit of 512 for nested HTML > tags, > which should be high enough for the vast majority of valid HTML documents, > to > address this. > > Thanks to Jakub Guido Vranken and Jakub Ciolek for both independently > reporting > this issue. > > This is CVE-2025-47911 and Go issue https://go.dev/issue/75682. > > The parser also misimplemented a portion of the HTML specification for > table > related tags. This could cause the parser to enter an infinite loop when > encountering specific combinations of tags. > > Thanks to Guido Vranken for reporting this issue. > > This is CVE-2025-58190 and Go issue https://go.dev/issue/70179. > > Cheers, > Go Security team > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/8fc5acf5-9525-4b2e-9083-2230bdb6bb85n%40googlegroups.com.
