CVE-2025-47911

EUVD-2025-206856
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
gohtml
𝑥
< 0.45.0
𝑥
= Vulnerable software versions
References
https://github.com/golang/vulndb/issues/4440
https://go.dev/cl/709876
https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
https://pkg.go.dev/vuln/GO-2026-4440