Golang.Org X Net vulnerabilities

CVE-2026-27141 Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

CVE-2025-47911 Quadratic parsing complexity in golang.org/x/net/html Quadratic parsing complexity in golang.org/x/net/html The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

CVE-2025-58190 Infinite parsing loop in golang.org/x/net Infinite parsing loop in golang.org/x/net The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

CVE-2025-22872 [MEDIUM] CWE-79 golang.org/x/net vulnerable to Cross-site Scripting golang.org/x/net vulnerable to Cross-site Scripting The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM const

CVE-2025-22870 [MEDIUM] CWE-115 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

CVE-2023-45288 [MEDIUM] CWE-400 net/http, x/net/http2: close connections when receiving too many headers net/http, x/net/http2: close connections when receiving too many headers An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to s

CVE-2023-39325 [HIGH] CWE-400 HTTP/2 rapid reset can cause excessive work in net/http HTTP/2 rapid reset can cause excessive work in net/http A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With t

CVE-2023-44487 [MEDIUM] CWE-400 HTTP/2 Stream Cancellation Attack HTTP/2 Stream Cancellation Attack ## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the

CVE-2018-17846 [HIGH] CWE-835 x/net/html Vulnerable to DoS During HTML Parsing x/net/html Vulnerable to DoS During HTML Parsing The html package (aka x/net/html) through 2018-09-25 in Go mishandles ``, leading to an infinite loop during an `html.Parse` call because `inSelectIM` and `inSelectInTableIM` do not comply with a specification.

CVE-2023-3978 [MEDIUM] CWE-79 Improper rendering of text nodes in golang.org/x/net/html Improper rendering of text nodes in golang.org/x/net/html Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

CVE-2022-41723 [HIGH] CWE-400 golang.org/x/net vulnerable to Uncontrolled Resource Consumption golang.org/x/net vulnerable to Uncontrolled Resource Consumption A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

CVE-2022-41721 [HIGH] CWE-444 golang.org/x/net/http2/h2c vulnerable to request smuggling attack golang.org/x/net/http2/h2c vulnerable to request smuggling attack A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 re

CVE-2022-41717 [MEDIUM] CWE-770 golang.org/x/net/http2 vulnerable to possible excessive memory growth golang.org/x/net/http2 vulnerable to possible excessive memory growth An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open

CVE-2022-27664 [HIGH] golang.org/x/net/http2 Denial of Service vulnerability golang.org/x/net/http2 Denial of Service vulnerability In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

CVE-2021-44716 Unbounded memory growth in net/http and golang.org/x/net/http2 Unbounded memory growth in net/http and golang.org/x/net/http2 An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.

CVE-2021-33194 [HIGH] CWE-835 golang.org/x/net/html Infinite Loop vulnerability golang.org/x/net/html Infinite Loop vulnerability Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.

CVE-2019-9512 [HIGH] CWE-400 golang.org/x/net/http vulnerable to ping floods golang.org/x/net/http vulnerable to ping floods Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. ### Specific Go Packages Affected golang.org/x/net/http2

CVE-2019-9514 [HIGH] CWE-400 golang.org/x/net/http vulnerable to a reset flood golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a str

CVE-2021-31525 [MEDIUM] CWE-674 golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

CVE-2018-17848 [HIGH] CWE-129 golang.org/x/net/html Improper Validation of Array Index vulnerability golang.org/x/net/html Improper Validation of Array Index vulnerability The html package (aka `x/net/html`) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.