cbcvebase.
CVE-2025-58190
published 2026-02-05

CVE-2025-58190: The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an…

PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.48%
38.0th percentile
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Affected

6 ranges
VendorProductVersion rangeFixed in
canonicallxd>= 0 < 2.0.11-0ubuntu1~16.04.4+esm22.0.11-0ubuntu1~16.04.4+esm2
canonicallxd>= 0 < 3.0.3-0ubuntu1~18.04.2+esm23.0.3-0ubuntu1~18.04.2+esm2
debiangolang-golang-x-net< golang-golang-x-net 1:0.47.0-1 (forky)golang-golang-x-net 1:0.47.0-1 (forky)
gohtml< 0.45.00.45.0
golang.orgx_net>= 0 < 0.45.00.45.0
golang.orgx_net_golang.org_x_net_html< 0.45.00.45.0

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.