CVE-2025-58190 – CVE-2025-58190 is a denial-of-service vulnerabi... (How to Fix)

📋 TL;DR

CVE-2025-58190 is a denial-of-service vulnerability in Go's html.Parse function that causes infinite parsing loops when processing specially crafted HTML content. This affects any Go application using golang.org/x/net/html to parse untrusted HTML input, potentially allowing attackers to crash services.

💻 Affected Systems

Products:

Go applications using golang.org/x/net/html package

Versions: All versions before the fix

Operating Systems: All platforms running Go

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that parse untrusted HTML input using html.Parse function

📦 What is this software?

Html by Go

View all CVEs affecting Html →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion (CPU/memory) from infinite loops, leading to sustained downtime.

🟠

Likely Case

Service degradation or crashes affecting availability when attackers send malicious HTML payloads.

🟢

If Mitigated

Limited impact with proper input validation, rate limiting, and resource constraints in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted HTML to vulnerable parsing endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest golang.org/x/net/html package

Vendor Advisory: https://pkg.go.dev/vuln/GO-2026-4441

Restart Required: Yes

Instructions:

1. Update Go modules: go get -u golang.org/x/net/html
2. Rebuild and redeploy application
3. Restart affected services

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize HTML input before parsing

Resource limiting

all

Implement timeouts and resource limits on HTML parsing operations

🧯 If You Can't Patch

Implement strict input validation to reject suspicious HTML patterns
Deploy WAF rules to block malicious HTML payloads before reaching application

🔍 How to Verify

Check if Vulnerable:

Check go.mod for golang.org/x/net/html version and compare with patched version

Check Version:

go list -m golang.org/x/net/html

Verify Fix Applied:

Verify updated package version and test with known malicious HTML samples

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Application crashes during HTML parsing
Request timeouts on HTML endpoints

Network Indicators:

Repeated HTML payloads to parsing endpoints
Unusually large HTML content

SIEM Query:

source="application.logs" AND ("html.Parse" OR "parsing loop") AND (cpu_usage>90 OR status="crash")

📊 Metadata

CVE ID: CVE-2025-58190

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-835

EPSS Score: 0.06% exploit probability (18.2th percentile)

Published: February 5, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/golang/vulndb/issues/4441 Exploit,Issue Tracking
https://go.dev/cl/709875 Patch
https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c Mailing List,Third Party Advisory
https://pkg.go.dev/vuln/GO-2026-4441 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58190, you might also want to check these: