golang.org/x/net/html has a Quadratic Parsing Complexity issue

GHSA-w4gw-w5jq-g9jh · CVE-2025-47911 · GO-2026-4440

Published Feb 12, 2026 · Modified Feb 16, 2026

Description

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to Denial of Service (DoS) if an attacker provides specially crafted HTML content.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-47911
WEB https://github.com/golang/vulndb/issues/4440
WEB https://go.dev/cl/709876
PACKAGE https://go.googlesource.com/net
WEB https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
WEB https://pkg.go.dev/vuln/GO-2026-4440

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes