CVE-2025-22872
published 2025-04-16CVE-2025-22872: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer…
PriorityP434medium6.5CVSS 3.1
AVNACHPRNUINSCCLILAL
EPSS
0.45%
35.9th percentile
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 0 < 2.0.11-0ubuntu1~16.04.4+esm2 | 2.0.11-0ubuntu1~16.04.4+esm2 |
| canonical | lxd | >= 0 < 3.0.3-0ubuntu1~18.04.2+esm2 | 3.0.3-0ubuntu1~18.04.2+esm2 |
| debian | golang-golang-x-net | < golang-golang-x-net 1:0.27.0-2 (forky) | golang-golang-x-net 1:0.27.0-2 (forky) |
| golang.org | x_net | >= 0 < 0.38.0 | 0.38.0 |
| golang.org | x_net_golang.org_x_net_html | < 0.38.0 | 0.38.0 |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.7-2 | — | — |
| msrc | azl3_cert-manager_1.12.15-4 | — | — |
| msrc | azl3_cf-cli_8.7.11-3 | — | — |
| msrc | azl3_cloud-provider-kubevirt_0.5.1-1 | — | — |
| msrc | azl3_cni-plugins_1.4.0-3 | — | — |
| msrc | azl3_containerd2_2.0.0-12 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-14 | — | — |
| msrc | azl3_cri-tools_1.32.0-2 | — | — |
| msrc | azl3_dasel_2.8.1-2 | — | — |
| msrc | azl3_docker-buildx_0.14.0-6 | — | — |
| msrc | azl3_docker-compose_2.27.0-5 | — | — |
| msrc | azl3_gh_2.62.0-8 | — | — |
| msrc | azl3_helm_3.15.2-3 | — | — |
| msrc | azl3_ig_0.37.0-4 | — | — |
| msrc | azl3_influxdb_2.7.5-5 | — | — |
| msrc | azl3_keda_2.14.1-7 | — | — |
| msrc | azl3_kube-vip-cloud-provider_0.0.10-4 | — | — |
| msrc | azl3_kubernetes_1.30.10-7 | — | — |
| msrc | azl3_kubevirt_1.2.0-17 | — | — |
| msrc | azl3_libcontainers-common_20240213-3 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ADSys, Juju Core, LXD vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 7.5
CVE-2023-3978 [HIGH] ADSys, Juju Core, LXD vulnerabilities
Title: ADSys, Juju Core, LXD vulnerabilities
Summary: Several security issues were fixed in ADSys, Juju Core, LXD
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a de
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-31·CVSS 7.5
CVE-2025-47911 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. T
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking.
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker coul
Red Hat
golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
vendor_redhat·2025-04-16·CVSS 6.5
CVE-2025-22872 [MEDIUM] CWE-79 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
A flaw was found in the HTML tokenizer component. This vulnerability allows incorrect DOM construction and potential content misplacement via unquoted attribute values ending with a (/) in tags within foreign content contexts such as or .
Mitig
Microsoft
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
vendor_msrc·2025-04-08·CVSS 6.5
CVE-2025-22872 [MEDIUM] Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releas
Debian
CVE-2025-22872: golang-golang-x-net - The tokenizer incorrectly interprets tags with unquoted attribute values that en...
vendor_debian·2025·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872: golang-golang-x-net - The tokenizer incorrectly interprets tags with unquoted attribute values that en...
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1:0.27.0-2)
sid: resolved (fixed in 1:0.27.0-2)
trixie: resolved (fixed in 1:0.27.0-2)
OSV
adsys, juju-core, lxd vulnerabilities
osv·2026-04-07·CVSS 7.5
[HIGH] adsys, juju-core, lxd vulnerabilities
adsys, juju-core, lxd vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net-dev vulnerabilities
osv·2026-03-31·CVSS 7.5
[HIGH] golang-golang-x-net-dev vulnerabilities
golang-golang-x-net-dev vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] golang-golang-x-net vulnerabilities
golang-golang-x-net vulnerabilities
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker could possibly use this to execute
arbitrary code. This issue only a
OSV
CVE-2025-22872: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing
osv·2025-04-16·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
OSV
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
osv·2025-04-16
CVE-2025-22872 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
GHSA
golang.org/x/net vulnerable to Cross-site Scripting
ghsa·2025-04-16
CVE-2025-22872 [MEDIUM] CWE-79 golang.org/x/net vulnerable to Cross-site Scripting
golang.org/x/net vulnerable to Cross-site Scripting
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
OSV
golang.org/x/net vulnerable to Cross-site Scripting
osv·2025-04-16
CVE-2025-22872 [MEDIUM] golang.org/x/net vulnerable to Cross-site Scripting
golang.org/x/net vulnerable to Cross-site Scripting
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-22872 cri-o1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 cri-o1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 cri-o1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it
Bugzilla
CVE-2025-22872 cri-tools1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 cri-tools1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 cri-tools1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if
Bugzilla
CVE-2025-22872 osbuild-composer: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 osbuild-composer: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 osbuild-composer: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL
Bugzilla
CVE-2025-22872 caddy: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [epel-9]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 caddy: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [epel-9]
CVE-2025-22872 caddy: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [epel-9]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2025-22872 cri-o1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 cri-o1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 cri-o1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it
Bugzilla
CVE-2025-22872 matterbridge: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 matterbridge: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 matterbridge: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if
Bugzilla
CVE-2025-22872 caddy: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [epel-8]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 caddy: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [epel-8]
CVE-2025-22872 caddy: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [epel-8]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2025-22872 golang-github-deepmap-oapi-codegen: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 golang-github-deepmap-oapi-codegen: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 golang-github-deepmap-oapi-codegen: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug wil
Bugzilla
CVE-2025-22872 kubernetes1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 kubernetes1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 kubernetes1.29: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL i
Bugzilla
CVE-2025-22872 grafana: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 grafana: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 grafana: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it re
Bugzilla
CVE-2025-22872 golang-github-microcosm-cc-bluemonday: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 golang-github-microcosm-cc-bluemonday: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 golang-github-microcosm-cc-bluemonday: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug
Bugzilla
CVE-2025-22872 ollama: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 ollama: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 ollama: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it rem
Bugzilla
CVE-2025-22872 golang-github-kyokomi-emoji: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 golang-github-kyokomi-emoji: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 golang-github-kyokomi-emoji: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be cl
Bugzilla
CVE-2025-22872 shellz: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 shellz: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 shellz: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it rem
Bugzilla
CVE-2025-22872 cri-tools1.31: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 cri-tools1.31: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 cri-tools1.31: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if
Bugzilla
CVE-2025-22872 cri-o1.31: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 cri-o1.31: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 cri-o1.31: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it
Bugzilla
CVE-2025-22872 kubernetes1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 kubernetes1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 kubernetes1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL i
Bugzilla
CVE-2025-22872 golang-k8s-kube-aggregator: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 golang-k8s-kube-aggregator: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 golang-k8s-kube-aggregator: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be clo
Bugzilla
CVE-2025-22872 golang-x-net: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 golang-x-net: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 golang-x-net: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if
Bugzilla
CVE-2025-22872 cri-tools1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 cri-tools1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 cri-tools1.30: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if
Bugzilla
CVE-2025-22872 cri-tools: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
bugzilla·2025-04-17·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 cri-tools: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
CVE-2025-22872 cri-tools: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360404
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it
Bugzilla
CVE-2025-22872 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
bugzilla·2025-04-16·CVSS 6.5
CVE-2025-22872 [MEDIUM] CVE-2025-22872 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22872 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
2025-04-16
Published