CVE-2025-22872Cross-site Scripting in X NET Golang.org X NET Html

CWE-79Cross-site Scripting12 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 69.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Golang.org X NET Golang.org X NET HtmlGolang.org X NET
Timeline
PublishedApr 16
Latest updateApr 7

Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.7

Affected Packages2 packages

Gogolang.org/x_net< 0.38.0

🔴Vulnerability Details

5
OSV
CVE-2025-22872: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing2025-04-16
OSV
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net2025-04-16
GHSA
golang.org/x/net vulnerable to Cross-site Scripting2025-04-16
CVEList
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net2025-04-16
OSV
golang.org/x/net vulnerable to Cross-site Scripting2025-04-16

📋Vendor Advisories

6
Ubuntu
ADSys, Juju Core, LXD vulnerabilities2026-04-07
Ubuntu
Go Networking vulnerabilities2026-03-31
Ubuntu
Go Networking vulnerabilities2026-03-12
Red Hat
golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net2025-04-16
Microsoft
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net2025-04-08
CVE-2025-22872 — Cross-site Scripting | cvebase