Vulnerability Report: GO-2021-0078

CVE-2018-17075, GHSA-5p4h-3377-7w67
Affects: golang.org/x/net
Published: Apr 14, 2021
Modified: Jun 12, 2023

The HTML parser does not properly handle "in frameset" insertion mode, and can be made to panic when operating on malformed HTML that contains <template> tags. If operating on user input, this may be a vector for a denial of service attack.

Affected Packages

Path

Versions

Symbols
golang.org/x/net/html

before v0.0.0-20180816102801-aaf60122140d
- Parse
- ParseFragment

Aliases

CVE-2018-17075
GHSA-5p4h-3377-7w67

References

https://go.dev/cl/123776
https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50
https://go.dev/issue/27016
https://bugs.chromium.org/p/chromium/issues/detail?id=829668
https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906
https://vuln.go.dev/ID/GO-2021-0078.json

Credits

Kunpei Sakai

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL