Infinite parsing loop in golang.org/x/net

GO-2026-4441 · CVE-2025-58190

Published Feb 5, 2026 · Modified May 15, 2026

Description

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

References

WEB https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
REPORT https://github.com/golang/vulndb/issues/4441
FIX https://go.dev/cl/709875

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes