CVE-2025-47911
published 2026-02-05CVE-2025-47911: The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.50%
39.1th percentile
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 0 < 2.0.11-0ubuntu1~16.04.4+esm2 | 2.0.11-0ubuntu1~16.04.4+esm2 |
| canonical | lxd | >= 0 < 3.0.3-0ubuntu1~18.04.2+esm2 | 3.0.3-0ubuntu1~18.04.2+esm2 |
| debian | golang-golang-x-net | < golang-golang-x-net 1:0.47.0-1 (forky) | golang-golang-x-net 1:0.47.0-1 (forky) |
| go | html | < 0.45.0 | 0.45.0 |
| golang.org | x_net | >= 0 < 0.45.0 | 0.45.0 |
| golang.org | x_net_golang.org_x_net_html | < 0.45.0 | 0.45.0 |
| golang.org | x_net_html | >= 0 < 0.45.0 | 0.45.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
adsys, juju-core, lxd vulnerabilities
osv·2026-04-07·CVSS 7.5
[HIGH] adsys, juju-core, lxd vulnerabilities
adsys, juju-core, lxd vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net-dev vulnerabilities
osv·2026-03-31·CVSS 7.5
[HIGH] golang-golang-x-net-dev vulnerabilities
golang-golang-x-net-dev vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] golang-golang-x-net vulnerabilities
golang-golang-x-net vulnerabilities
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker could possibly use this to execute
arbitrary code. This issue only a
OSV
golang.org/x/net/html has a Quadratic Parsing Complexity issue
osv·2026-02-12
CVE-2025-47911 [MEDIUM] golang.org/x/net/html has a Quadratic Parsing Complexity issue
golang.org/x/net/html has a Quadratic Parsing Complexity issue
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to Denial of Service (DoS) if an attacker provides specially crafted HTML content.
GHSA
golang.org/x/net/html has a Quadratic Parsing Complexity issue
ghsa·2026-02-12
CVE-2025-47911 [MEDIUM] CWE-407 golang.org/x/net/html has a Quadratic Parsing Complexity issue
golang.org/x/net/html has a Quadratic Parsing Complexity issue
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to Denial of Service (DoS) if an attacker provides specially crafted HTML content.
OSV
CVE-2025-47911: The html
osv·2026-02-05·CVSS 5.3
CVE-2025-47911 [MEDIUM] CVE-2025-47911: The html
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
OSV
Quadratic parsing complexity in golang.org/x/net/html
osv·2026-02-05
CVE-2025-47911 Quadratic parsing complexity in golang.org/x/net/html
Quadratic parsing complexity in golang.org/x/net/html
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Ubuntu
ADSys, Juju Core, LXD vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 7.5
CVE-2023-3978 [HIGH] ADSys, Juju Core, LXD vulnerabilities
Title: ADSys, Juju Core, LXD vulnerabilities
Summary: Several security issues were fixed in ADSys, Juju Core, LXD
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a de
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-31·CVSS 7.5
CVE-2025-47911 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. T
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking.
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker coul
Red Hat
golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html
vendor_redhat·2026-02-05·CVSS 5.3
CVE-2025-47911 [MEDIUM] CWE-400 golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html
golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Package: rhai/assisted-installer-agent-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Fix deferred
Package: rhai/assisted-installer-controller-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Fix deferred
Package: rhai/assisted-installer-rhel9 (A
Debian
CVE-2025-47911: golang-golang-x-net - The html.Parse function in golang.org/x/net/html has quadratic parsing complexit...
vendor_debian·2025·CVSS 5.3
CVE-2025-47911 [MEDIUM] CVE-2025-47911: golang-golang-x-net - The html.Parse function in golang.org/x/net/html has quadratic parsing complexit...
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1:0.47.0-1)
sid: resolved (fixed in 1:0.47.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-35204 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35204 [MEDIUM] CVE-2026-35204 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35204 :
Helm vulnerability analysis and mitigation
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.
Source : NVD
## 8.4
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Helm
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and
Wiz
CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-47911 [MEDIUM] CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47911 :
Terraform Community vulnerability analysis and mitigation
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cri-o
kubernetes
Sources
NVD
CBL-Mariner 2.0 Severity MEDIUM Has Fix Added at: Mar 04, 2026
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: M
Wiz
CVE-2026-35205 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35205 [MEDIUM] CVE-2026-35205 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35205 :
Helm vulnerability analysis and mitigation
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
Source : NVD
## 8.4
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Helm
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:helm:helm
helm
Sources
NVD
Chainguard No Fix Added at: Apr 10, 2026
Linux Has Fix Added at: Apr 10, 2026
Wolfi No Fix Added at: Apr 10, 2026
## Get a CVE risk assessment
Ge
Wiz
CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-11065 [MEDIUM] CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11065 :
Terraform Community vulnerability analysis and mitigation
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
Source : NVD
## 5.3
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-11.2
kyverno-fips-1.12
Sources
NVD
Bugzilla
CVE-2025-47911 golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html
bugzilla·2026-02-05·CVSS 5.3
CVE-2025-47911 [MEDIUM] CVE-2025-47911 golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html
CVE-2025-47911 golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
2026-02-05
Published