CVE-2025-58190
published 2026-02-05CVE-2025-58190: The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an…
PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.48%
38.0th percentile
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 0 < 2.0.11-0ubuntu1~16.04.4+esm2 | 2.0.11-0ubuntu1~16.04.4+esm2 |
| canonical | lxd | >= 0 < 3.0.3-0ubuntu1~18.04.2+esm2 | 3.0.3-0ubuntu1~18.04.2+esm2 |
| debian | golang-golang-x-net | < golang-golang-x-net 1:0.47.0-1 (forky) | golang-golang-x-net 1:0.47.0-1 (forky) |
| go | html | < 0.45.0 | 0.45.0 |
| golang.org | x_net | >= 0 < 0.45.0 | 0.45.0 |
| golang.org | x_net_golang.org_x_net_html | < 0.45.0 | 0.45.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
adsys, juju-core, lxd vulnerabilities
osv·2026-04-07·CVSS 7.5
[HIGH] adsys, juju-core, lxd vulnerabilities
adsys, juju-core, lxd vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net-dev vulnerabilities
osv·2026-03-31·CVSS 7.5
[HIGH] golang-golang-x-net-dev vulnerabilities
golang-golang-x-net-dev vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] golang-golang-x-net vulnerabilities
golang-golang-x-net vulnerabilities
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker could possibly use this to execute
arbitrary code. This issue only a
OSV
CVE-2025-58190: The html
osv·2026-02-05·CVSS 5.3
CVE-2025-58190 [MEDIUM] CVE-2025-58190: The html
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
OSV
Infinite parsing loop in golang.org/x/net
osv·2026-02-05
CVE-2025-58190 Infinite parsing loop in golang.org/x/net
Infinite parsing loop in golang.org/x/net
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Ubuntu
ADSys, Juju Core, LXD vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 7.5
CVE-2023-3978 [HIGH] ADSys, Juju Core, LXD vulnerabilities
Title: ADSys, Juju Core, LXD vulnerabilities
Summary: Several security issues were fixed in ADSys, Juju Core, LXD
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a de
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-31·CVSS 7.5
CVE-2025-47911 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. T
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking.
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker coul
Red Hat
golang.org/x/net/html: Infinite parsing loop in golang.org/x/net
vendor_redhat·2026-02-05·CVSS 5.3
CVE-2025-58190 [MEDIUM] CWE-835 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net
golang.org/x/net/html: Infinite parsing loop in golang.org/x/net
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) in an exposed go application if an attacker provides specially crafted HTML content.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: rhai/assisted-installer-agent-r
Debian
CVE-2025-58190: golang-golang-x-net - The html.Parse function in golang.org/x/net/html has an infinite parsing loop wh...
vendor_debian·2025·CVSS 5.3
CVE-2025-58190 [MEDIUM] CVE-2025-58190: golang-golang-x-net - The html.Parse function in golang.org/x/net/html has an infinite parsing loop wh...
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1:0.47.0-1)
sid: resolved (fixed in 1:0.47.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-35204 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35204 [MEDIUM] CVE-2026-35204 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35204 :
Helm vulnerability analysis and mitigation
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.
Source : NVD
## 8.4
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Helm
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and
Wiz
CVE-2025-58190 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-58190 [MEDIUM] CVE-2025-58190 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58190 :
Packer vulnerability analysis and mitigation
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Packer
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cloud-provider-kubevirt
docker-buildx
Sources
NVD
CBL-Mariner 2.0 Severity MEDIUM Has Fix Added at: Mar 04, 2026
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 13,
Wiz
CVE-2026-35205 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35205 [MEDIUM] CVE-2026-35205 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35205 :
Helm vulnerability analysis and mitigation
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
Source : NVD
## 8.4
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Helm
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:helm:helm
helm
Sources
NVD
Chainguard No Fix Added at: Apr 10, 2026
Linux Has Fix Added at: Apr 10, 2026
Wolfi No Fix Added at: Apr 10, 2026
## Get a CVE risk assessment
Ge
Bugzilla
CVE-2025-58190 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net
bugzilla·2026-02-05·CVSS 5.3
CVE-2025-58190 [MEDIUM] CVE-2025-58190 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net
CVE-2025-58190 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
2026-02-05
Published