CVE-2025-47911 – This vulnerability in Go's html.Parse function ... (How to Fix)

📋 TL;DR

This vulnerability in Go's html.Parse function allows attackers to cause denial of service by providing specially crafted HTML content that triggers quadratic parsing complexity. Applications using golang.org/x/net/html for HTML parsing are affected, particularly web servers, proxies, or any service that processes untrusted HTML input.

💻 Affected Systems

Products:

Go applications using golang.org/x/net/html package

Versions: All versions before the fix

Operating Systems: All platforms running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that parse HTML using the vulnerable function. Applications not using html.Parse or not processing untrusted HTML are not vulnerable.

📦 What is this software?

Html by Go

View all CVEs affecting Html →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from parsing malicious HTML, potentially affecting all users of the vulnerable application.

🟠

Likely Case

Degraded performance or temporary service disruption when processing attacker-controlled HTML content, requiring restart of affected services.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, though some performance degradation may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to submit HTML content to vulnerable application. No authentication needed if application accepts untrusted input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest golang.org/x/net/html package

Vendor Advisory: https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c

Restart Required: Yes

Instructions:

1. Update Go modules: go get golang.org/x/net@latest
2. Update imports in code
3. Rebuild and redeploy application
4. Restart affected services

🔧 Temporary Workarounds

Input size limiting

all

Limit maximum size of HTML input to prevent resource exhaustion

Implement request size limits in web server configuration

Timeout implementation

all

Add parsing timeouts to prevent indefinite processing

Use context.WithTimeout for parsing operations

🧯 If You Can't Patch

Implement strict input validation to reject suspicious HTML patterns
Deploy rate limiting and WAF rules to block repeated malicious requests

🔍 How to Verify

Check if Vulnerable:

Check if application imports golang.org/x/net/html and uses html.Parse function on untrusted input

Check Version:

go list -m golang.org/x/net

Verify Fix Applied:

Verify updated package version and test with known malicious HTML samples

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Long parsing times in application logs
Increased error rates for HTML processing

Network Indicators:

Repeated large HTML payloads to parsing endpoints
Unusual traffic patterns to HTML processing services

SIEM Query:

source="application_logs" AND ("html.Parse" OR "parsing timeout") AND cpu_usage>90%

📊 Metadata

CVE ID: CVE-2025-47911

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score: 0.06% exploit probability (18.2th percentile)

Published: February 5, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/golang/vulndb/issues/4440 Issue Tracking
https://go.dev/cl/709876 Patch
https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c Mailing List,Third Party Advisory
https://pkg.go.dev/vuln/GO-2026-4440 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON