Golang.Org X Net vulnerabilities
25 known vulnerabilities affecting golang.org/x_net.
Total CVEs
25
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
HIGH13MEDIUM8UNKNOWN4
Vulnerabilities
Page 2 of 2
CVE-2025-47911P4UNKNOWN≥ 0, < 0.45.02026-02-05
CVE-2025-47911 Quadratic parsing complexity in golang.org/x/net/html
Quadratic parsing complexity in golang.org/x/net/html
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
osv
CVE-2026-25680P4MEDIUM≥ 0, < 0.55.02026-05-26
CVE-2026-25680 [MEDIUM] CWE-400 Go Net HTML parser is vulnerable to denial of service
Go Net HTML parser is vulnerable to denial of service
In Go Net (`golang.org/x/net`) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
ghsa
CVE-2025-58190P4UNKNOWN≥ 0, < 0.45.02026-02-05
CVE-2025-58190 Infinite parsing loop in golang.org/x/net
Infinite parsing loop in golang.org/x/net
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
osv
CVE-2023-3978P4MEDIUM≥ 0, < 0.13.02023-08-02
CVE-2023-3978 [MEDIUM] CWE-79 Improper rendering of text nodes in golang.org/x/net/html
Improper rendering of text nodes in golang.org/x/net/html
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
ghsaosv
CVE-2025-22870P4MEDIUM≥ 0, < 0.36.02025-03-12
CVE-2025-22870 [MEDIUM] CWE-115 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
ghsaosv
← Previous2 / 2