Search
Find a vulnerability
Search criteria
38 vulnerabilities by golang.org/x/net
CVE-2026-42506 (GCVE-0-2026-42506)
Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:45
VLAI
Title
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:45:29.886387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:45:49.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ensy"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.056Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79571"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781700"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5025"
}
],
"title": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42506",
"datePublished": "2026-05-22T15:01:21.056Z",
"dateReserved": "2026-04-28T00:21:12.792Z",
"dateUpdated": "2026-05-22T17:45:49.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42502 (GCVE-0-2026-42502)
Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:17
VLAI
Title
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:16:33.414557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:17:20.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tristan Madani"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.649Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79572"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781701"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5027"
}
],
"title": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42502",
"datePublished": "2026-05-22T15:01:21.649Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-05-22T17:17:20.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39821 (GCVE-0-2026-39821)
Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-06-30 03:15
VLAI
Title
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
Summary
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Severity
9.6 (Critical)
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
21 references
Impacted products
81 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39821",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T03:55:58.522682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:13:15.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.10::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.9::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.8::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:assisted_installer:2"
],
"defaultStatus": "affected",
"product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_builds:1"
],
"defaultStatus": "affected",
"product": "Builds for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cert_manager:1"
],
"defaultStatus": "affected",
"product": "cert-manager Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_compliance_operator:1"
],
"defaultStatus": "affected",
"product": "Compliance Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:deployment_validator_operator"
],
"defaultStatus": "affected",
"product": "Deployment Validation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:external_secrets_operator:1"
],
"defaultStatus": "affected",
"product": "External Secrets Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_far:0"
],
"defaultStatus": "affected",
"product": "Fence Agents Remediation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "affected",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lvms:4"
],
"defaultStatus": "affected",
"product": "Logical Volume Manager Storage",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_mdr:0"
],
"defaultStatus": "affected",
"product": "Machine Deletion Remediation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multiarch_tuning_operator"
],
"defaultStatus": "affected",
"product": "Multiarch Tuning Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "affected",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_power_monitoring"
],
"defaultStatus": "affected",
"product": "Power monitoring for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_3scale_amp:2"
],
"defaultStatus": "affected",
"product": "Red Hat 3scale API Management Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:8"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:certifications:9"
],
"defaultStatus": "affected",
"product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lightspeed_for_runtimes:1"
],
"defaultStatus": "affected",
"product": "Red Hat Lightspeed for Runtimes Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_cluster_manager_cli:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Cluster Manager CLI",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:devworkspace"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Workspaces Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:windows_machine_config"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift for Windows Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_service_on_aws:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift on AWS",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:webterminal:1"
],
"defaultStatus": "affected",
"product": "Red Hat Web Terminal",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_security_profiles_operator:1"
],
"defaultStatus": "affected",
"product": "Security Profiles Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:3"
],
"defaultStatus": "affected",
"product": "streams for Apache Kafka 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:1"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:0"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:2"
],
"defaultStatus": "unaffected",
"product": "Red Hat Service Interconnect 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-22T15:01:21.462Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the `idna` package, specifically within the `golang.org/x/net/idna` component. This vulnerability allows for privilege escalation due to incorrect processing of Punycode-encoded labels. An attacker could craft a malicious Punycode label that, when initially checked, appears safe but then decodes to a restricted ASCII hostname, bypassing security controls and gaining unauthorized access."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:15:52.607Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"name": "RHBZ#2480756",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39821.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30855"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30853"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30854"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30651"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26547"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26546"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23262"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23264"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33183"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30650"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:30855: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:30853: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:30854: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13"
},
{
"lang": "en",
"value": "RHSA-2026:26547: Red Hat Advanced Cluster Security for Kubernetes 4.10"
},
{
"lang": "en",
"value": "RHSA-2026:26546: Red Hat Advanced Cluster Security for Kubernetes 4.9"
},
{
"lang": "en",
"value": "RHSA-2026:23262: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:23264: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:33160: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30650: multicluster engine for Kubernetes 2.8"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T16:00:52.844Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-22T15:01:21.462Z",
"value": "Made public."
}
],
"title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/idna",
"product": "golang.org/x/net/idna",
"programRoutines": [
{
"name": "Profile.process"
},
{
"name": "Profile.ToASCII"
},
{
"name": "Profile.ToUnicode"
},
{
"name": "ToASCII"
},
{
"name": "ToUnicode"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "KC1zs4 (https://github.com/KC1zs4)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\"."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.462Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/767220"
},
{
"url": "https://go.dev/issue/78760"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5026"
}
],
"title": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39821",
"datePublished": "2026-05-22T15:01:21.462Z",
"dateReserved": "2026-04-07T18:13:03.526Z",
"dateUpdated": "2026-06-30T03:15:52.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27136 (GCVE-0-2026-27136)
Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 16:59
VLAI
Title
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T16:59:35.355098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T16:59:52.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ensy"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:22.111Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79575"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781685"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5030"
}
],
"title": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27136",
"datePublished": "2026-05-22T15:01:22.111Z",
"dateReserved": "2026-02-17T19:57:28.434Z",
"dateUpdated": "2026-05-22T16:59:52.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25681 (GCVE-0-2026-25681)
Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:46
VLAI
Title
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:46:00.775026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:46:20.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ensy"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.975Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79574"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781703"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5029"
}
],
"title": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-25681",
"datePublished": "2026-05-22T15:01:21.975Z",
"dateReserved": "2026-02-05T01:35:43.738Z",
"dateUpdated": "2026-05-22T17:46:20.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25680 (GCVE-0-2026-25680)
Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:00
VLAI
Title
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
Summary
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:00:30.926552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:00:35.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "IPC Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.805Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/781702"
},
{
"url": "https://go.dev/issue/79573"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5028"
}
],
"title": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-25680",
"datePublished": "2026-05-22T15:01:21.805Z",
"dateReserved": "2026-02-05T01:35:43.737Z",
"dateUpdated": "2026-05-22T17:00:35.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33814 (GCVE-0-2026-33814)
Vulnerability from nvd – Published: 2026-05-07 19:41 – Updated: 2026-06-30 03:15
VLAI
Title
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
Summary
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
14 references
| URL | Tags |
|---|---|
| https://go.dev/cl/761581 | |
| https://go.dev/cl/761640 | |
| https://go.dev/issue/78476 | |
| https://groups.google.com/g/golang-announce/c/qcC… | |
| https://pkg.go.dev/vuln/GO-2026-4918 | |
| https://access.redhat.com/security/cve/CVE-2026-33814 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2467815 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:23262 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:23264 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33120 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33123 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33142 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33150 | vendor-advisoryx_refsource_REDHAT |
Impacted products
14 products
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.53.0
(semver)
|
|
| Go standard library | net/http |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.0 |
cpe:/a:redhat:service_mesh:3.0::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.1 |
cpe:/a:redhat:service_mesh:3.1::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.2 |
cpe:/a:redhat:service_mesh:3.2::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.3 |
cpe:/a:redhat:service_mesh:3.3::el9 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat OpenShift Virtualization 4 |
cpe:/a:redhat:container_native_virtualization:4 |
|
| Red Hat | OpenShift Service Mesh 2 |
cpe:/a:redhat:service_mesh:2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T18:00:53.951676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T18:01:02.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T19:41:17.631Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the HTTP/2 protocol implementation within the Go standard library (golang.org/x/net and net/http/internal/http2). A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGS_MAX_FRAME_SIZE parameter set to zero. This malicious frame causes the transport layer to enter an infinite loop of writing CONTINUATION frames, leading to resource exhaustion and a Denial of Service (DoS) condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-606",
"description": "Unchecked Input for Loop Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:15:53.495Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-33814"
},
{
"name": "RHBZ#2467815",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467815"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23262"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23264"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:23262: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:23264: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T20:01:11.324Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T19:41:17.631Z",
"value": "Made public."
}
],
"title": "net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "clientConnReadLoop.processSettingsNoWrite"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.NewClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "unencryptedTransport.RoundTrip"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.53.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "http2clientConnReadLoop.processSettingsNoWrite"
},
{
"name": "Client.CloseIdleConnections"
},
{
"name": "Client.Do"
},
{
"name": "Client.Get"
},
{
"name": "Client.Head"
},
{
"name": "Client.Post"
},
{
"name": "Client.PostForm"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "Get"
},
{
"name": "Head"
},
{
"name": "Post"
},
{
"name": "PostForm"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "http1ClientConn.Close"
},
{
"name": "http1ClientConn.RoundTrip"
},
{
"name": "http2Transport.NewClientConn"
},
{
"name": "http2Transport.RoundTrip"
},
{
"name": "http2Transport.RoundTripOpt"
},
{
"name": "http2clientConnPool.GetClientConn"
},
{
"name": "http2noDialClientConnPool.GetClientConn"
},
{
"name": "http2noDialH2RoundTripper.NewClientConn"
},
{
"name": "http2noDialH2RoundTripper.RoundTrip"
},
{
"name": "http2unencryptedTransport.RoundTrip"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marwan Atia (marwansamir688@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"value": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:17.631Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/761581"
},
{
"url": "https://go.dev/cl/761640"
},
{
"url": "https://go.dev/issue/78476"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4918"
}
],
"title": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33814",
"datePublished": "2026-05-07T19:41:17.631Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-06-30T03:15:53.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27141 (GCVE-0-2026-27141)
Vulnerability from nvd – Published: 2026-02-26 18:50 – Updated: 2026-02-27 19:11
VLAI
Title
Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net
Summary
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0.50.0 , < 0.51.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T19:11:24.117207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:11:57.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "typeFrameParser"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.Ping"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "ClientConn.Shutdown"
},
{
"name": "ConfigureServer"
},
{
"name": "ConfigureTransport"
},
{
"name": "ConfigureTransports"
},
{
"name": "ConnectionError.Error"
},
{
"name": "ErrCode.String"
},
{
"name": "FrameHeader.String"
},
{
"name": "FrameType.String"
},
{
"name": "FrameWriteRequest.String"
},
{
"name": "Framer.ReadFrame"
},
{
"name": "Framer.ReadFrameForHeader"
},
{
"name": "Framer.ReadFrameHeader"
},
{
"name": "Framer.WriteContinuation"
},
{
"name": "Framer.WriteData"
},
{
"name": "Framer.WriteDataPadded"
},
{
"name": "Framer.WriteGoAway"
},
{
"name": "Framer.WriteHeaders"
},
{
"name": "Framer.WritePing"
},
{
"name": "Framer.WritePriority"
},
{
"name": "Framer.WritePriorityUpdate"
},
{
"name": "Framer.WritePushPromise"
},
{
"name": "Framer.WriteRSTStream"
},
{
"name": "Framer.WriteRawFrame"
},
{
"name": "Framer.WriteSettings"
},
{
"name": "Framer.WriteSettingsAck"
},
{
"name": "Framer.WriteWindowUpdate"
},
{
"name": "GoAwayError.Error"
},
{
"name": "ReadFrameHeader"
},
{
"name": "Server.ServeConn"
},
{
"name": "Setting.String"
},
{
"name": "SettingID.String"
},
{
"name": "SettingsFrame.ForeachSetting"
},
{
"name": "StreamError.Error"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "bufferedWriter.Flush"
},
{
"name": "bufferedWriter.Write"
},
{
"name": "bufferedWriterTimeoutWriter.Write"
},
{
"name": "chunkWriter.Write"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "connError.Error"
},
{
"name": "dataBuffer.Read"
},
{
"name": "duplicatePseudoHeaderError.Error"
},
{
"name": "gzipReader.Close"
},
{
"name": "gzipReader.Read"
},
{
"name": "headerFieldNameError.Error"
},
{
"name": "headerFieldValueError.Error"
},
{
"name": "netHTTPClientConn.Close"
},
{
"name": "netHTTPClientConn.RoundTrip"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.NewClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "pipe.Read"
},
{
"name": "priorityWriteSchedulerRFC7540.CloseStream"
},
{
"name": "priorityWriteSchedulerRFC7540.OpenStream"
},
{
"name": "priorityWriteSchedulerRFC9218.OpenStream"
},
{
"name": "pseudoHeaderError.Error"
},
{
"name": "requestBody.Close"
},
{
"name": "requestBody.Read"
},
{
"name": "responseWriter.Flush"
},
{
"name": "responseWriter.FlushError"
},
{
"name": "responseWriter.Push"
},
{
"name": "responseWriter.SetReadDeadline"
},
{
"name": "responseWriter.SetWriteDeadline"
},
{
"name": "responseWriter.Write"
},
{
"name": "responseWriter.WriteHeader"
},
{
"name": "responseWriter.WriteString"
},
{
"name": "roundRobinWriteScheduler.OpenStream"
},
{
"name": "serverConn.CloseConn"
},
{
"name": "serverConn.Flush"
},
{
"name": "stickyErrWriter.Write"
},
{
"name": "transportResponseBody.Close"
},
{
"name": "transportResponseBody.Read"
},
{
"name": "unencryptedTransport.RoundTrip"
},
{
"name": "writeData.String"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.51.0",
"status": "affected",
"version": "0.50.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:50:31.830Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"
},
{
"url": "https://go.dev/cl/746180"
},
{
"url": "https://go.dev/issue/77652"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4559"
}
],
"title": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27141",
"datePublished": "2026-02-26T18:50:31.830Z",
"dateReserved": "2026-02-17T19:57:28.435Z",
"dateUpdated": "2026-02-27T19:11:57.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58190 (GCVE-0-2025-58190)
Vulnerability from nvd – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:22
VLAI
Title
Infinite parsing loop in golang.org/x/net
Summary
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with Unreachable Exit Condition
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.45.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T15:22:10.801204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T15:22:37.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "inRowIM"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.45.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
}
],
"descriptions": [
{
"lang": "en",
"value": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-835: Loop with Unreachable Exit Condition",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T17:48:44.693Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
},
{
"url": "https://github.com/golang/vulndb/issues/4441"
},
{
"url": "https://go.dev/cl/709875"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4441"
}
],
"title": "Infinite parsing loop in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58190",
"datePublished": "2026-02-05T17:48:44.693Z",
"dateReserved": "2025-08-27T14:50:58.692Z",
"dateUpdated": "2026-02-12T15:22:37.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47911 (GCVE-0-2025-47911)
Vulnerability from nvd – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:23
VLAI
Title
Quadratic parsing complexity in golang.org/x/net/html
Summary
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.45.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T15:23:40.307728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T15:23:55.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.45.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
},
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T17:48:44.562Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/709876"
},
{
"url": "https://github.com/golang/vulndb/issues/4440"
},
{
"url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4440"
}
],
"title": "Quadratic parsing complexity in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-47911",
"datePublished": "2026-02-05T17:48:44.562Z",
"dateReserved": "2025-05-13T23:31:29.597Z",
"dateUpdated": "2026-02-12T15:23:55.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22872 (GCVE-0-2025-22872)
Vulnerability from nvd – Published: 2025-04-16 17:13 – Updated: 2025-05-16 23:03
VLAI
Title
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
Summary
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.38.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T20:14:29.607584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T20:15:13.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-16T23:03:07.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250516-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "Tokenizer.readStartTag"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
},
{
"name": "Tokenizer.Next"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.38.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sean Ng (https://ensy.zip)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T17:13:02.550Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/662715"
},
{
"url": "https://go.dev/issue/73070"
},
{
"url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3595"
}
],
"title": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-22872",
"datePublished": "2025-04-16T17:13:02.550Z",
"dateReserved": "2025-01-08T19:11:42.834Z",
"dateUpdated": "2025-05-16T23:03:07.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22870 (GCVE-0-2025-22870)
Vulnerability from nvd – Published: 2025-03-12 18:27 – Updated: 2026-04-16 22:39
VLAI
Title
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Summary
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-115 Misinterpretation of Input
- CWE-115 - Misinterpretation of Input
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.23.7
(semver)
Affected: 1.24.0-0 , < 1.24.1 (semver) |
|
| golang.org/x/net | golang.org/x/net/http/httpproxy |
Affected:
0 , < 0.36.0
(semver)
|
|
| golang.org/x/net | golang.org/x/net/proxy |
Affected:
0 , < 0.36.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-09T20:03:37.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/07/2"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250509-0007/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:31:16.493335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115 Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:32:14.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "envProxyFunc"
},
{
"name": "ProxyFromEnvironment"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.23.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.24.1",
"status": "affected",
"version": "1.24.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http/httpproxy",
"product": "golang.org/x/net/http/httpproxy",
"programRoutines": [
{
"name": "config.useProxy"
},
{
"name": "domainMatch.match"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.36.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/proxy",
"product": "golang.org/x/net/proxy",
"programRoutines": [
{
"name": "PerHost.dialerForRequest"
},
{
"name": "PerHost.AddFromString"
},
{
"name": "Dial"
},
{
"name": "FromEnvironment"
},
{
"name": "FromEnvironmentUsing"
},
{
"name": "PerHost.Dial"
},
{
"name": "PerHost.DialContext"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.36.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Fors\u00e9n of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-115 Misinterpretation of Input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T22:39:33.619Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/654697"
},
{
"url": "https://go.dev/issue/71984"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3503"
}
],
"title": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-22870",
"datePublished": "2025-03-12T18:27:59.376Z",
"dateReserved": "2025-01-08T19:11:42.834Z",
"dateUpdated": "2026-04-16T22:39:33.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45338 (GCVE-0-2024-45338)
Vulnerability from nvd – Published: 2024-12-18 20:38 – Updated: 2025-02-21 18:03
VLAI
Title
Non-linear parsing of case-insensitive content in golang.org/x/net/html
Summary
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.33.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T19:51:42.228627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T19:55:04.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-21T18:03:32.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250221-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parseDoctype"
},
{
"name": "htmlIntegrationPoint"
},
{
"name": "inTableIM"
},
{
"name": "inBodyIM"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.33.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T20:38:22.660Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/637536"
},
{
"url": "https://go.dev/issue/70906"
},
{
"url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-3333"
}
],
"title": "Non-linear parsing of case-insensitive content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-45338",
"datePublished": "2024-12-18T20:38:22.660Z",
"dateReserved": "2024-08-27T19:41:58.555Z",
"dateUpdated": "2025-02-21T18:03:32.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45288 (GCVE-0-2023-45288)
Vulnerability from nvd – Published: 2024-04-04 20:37 – Updated: 2025-11-04 18:17
VLAI
Title
HTTP/2 CONTINUATION flood in net/http
Summary
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
9 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.21.9
(semver)
Affected: 1.22.0-0 , < 1.22.2 (semver) |
|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.23.0
(semver)
|
|
| go_standard_library | net\/http |
Affected:
0 , < 1.21.9
(custom)
Affected: 1.22.0-0 , < 1.22.2 (custom) cpe:2.3:a:go_standard_library:net\/http:*:*:*:*:*:*:*:* |
|
| golang | http2 |
Affected:
0 , < 0.23.0
(custom)
cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:17:43.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/65051"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/576155"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2024-2687"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
},
{
"url": "https://www.kb.cert.org/vuls/id/421644"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:go_standard_library:net\\/http:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "net\\/http",
"vendor": "go_standard_library",
"versions": [
{
"lessThan": "1.21.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.22.2",
"status": "affected",
"version": "1.22.0-0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "http2",
"vendor": "golang",
"versions": [
{
"lessThan": "0.23.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-05T17:08:42.212936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:40:01.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "http2Framer.readMetaFrame"
},
{
"name": "CanonicalHeaderKey"
},
{
"name": "Client.CloseIdleConnections"
},
{
"name": "Client.Do"
},
{
"name": "Client.Get"
},
{
"name": "Client.Head"
},
{
"name": "Client.Post"
},
{
"name": "Client.PostForm"
},
{
"name": "Cookie.String"
},
{
"name": "Cookie.Valid"
},
{
"name": "Dir.Open"
},
{
"name": "Error"
},
{
"name": "Get"
},
{
"name": "HandlerFunc.ServeHTTP"
},
{
"name": "Head"
},
{
"name": "Header.Add"
},
{
"name": "Header.Del"
},
{
"name": "Header.Get"
},
{
"name": "Header.Set"
},
{
"name": "Header.Values"
},
{
"name": "Header.Write"
},
{
"name": "Header.WriteSubset"
},
{
"name": "ListenAndServe"
},
{
"name": "ListenAndServeTLS"
},
{
"name": "NewRequest"
},
{
"name": "NewRequestWithContext"
},
{
"name": "NotFound"
},
{
"name": "ParseTime"
},
{
"name": "Post"
},
{
"name": "PostForm"
},
{
"name": "ProxyFromEnvironment"
},
{
"name": "ReadRequest"
},
{
"name": "ReadResponse"
},
{
"name": "Redirect"
},
{
"name": "Request.AddCookie"
},
{
"name": "Request.BasicAuth"
},
{
"name": "Request.FormFile"
},
{
"name": "Request.FormValue"
},
{
"name": "Request.MultipartReader"
},
{
"name": "Request.ParseForm"
},
{
"name": "Request.ParseMultipartForm"
},
{
"name": "Request.PostFormValue"
},
{
"name": "Request.Referer"
},
{
"name": "Request.SetBasicAuth"
},
{
"name": "Request.UserAgent"
},
{
"name": "Request.Write"
},
{
"name": "Request.WriteProxy"
},
{
"name": "Response.Cookies"
},
{
"name": "Response.Location"
},
{
"name": "Response.Write"
},
{
"name": "ResponseController.EnableFullDuplex"
},
{
"name": "ResponseController.Flush"
},
{
"name": "ResponseController.Hijack"
},
{
"name": "ResponseController.SetReadDeadline"
},
{
"name": "ResponseController.SetWriteDeadline"
},
{
"name": "Serve"
},
{
"name": "ServeContent"
},
{
"name": "ServeFile"
},
{
"name": "ServeMux.ServeHTTP"
},
{
"name": "ServeTLS"
},
{
"name": "Server.Close"
},
{
"name": "Server.ListenAndServe"
},
{
"name": "Server.ListenAndServeTLS"
},
{
"name": "Server.Serve"
},
{
"name": "Server.ServeTLS"
},
{
"name": "Server.SetKeepAlivesEnabled"
},
{
"name": "Server.Shutdown"
},
{
"name": "SetCookie"
},
{
"name": "Transport.CancelRequest"
},
{
"name": "Transport.Clone"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "body.Close"
},
{
"name": "body.Read"
},
{
"name": "bodyEOFSignal.Close"
},
{
"name": "bodyEOFSignal.Read"
},
{
"name": "bodyLocked.Read"
},
{
"name": "bufioFlushWriter.Write"
},
{
"name": "cancelTimerBody.Close"
},
{
"name": "cancelTimerBody.Read"
},
{
"name": "checkConnErrorWriter.Write"
},
{
"name": "chunkWriter.Write"
},
{
"name": "connReader.Read"
},
{
"name": "connectMethodKey.String"
},
{
"name": "expectContinueReader.Close"
},
{
"name": "expectContinueReader.Read"
},
{
"name": "extraHeader.Write"
},
{
"name": "fileHandler.ServeHTTP"
},
{
"name": "fileTransport.RoundTrip"
},
{
"name": "globalOptionsHandler.ServeHTTP"
},
{
"name": "gzipReader.Close"
},
{
"name": "gzipReader.Read"
},
{
"name": "http2ClientConn.Close"
},
{
"name": "http2ClientConn.Ping"
},
{
"name": "http2ClientConn.RoundTrip"
},
{
"name": "http2ClientConn.Shutdown"
},
{
"name": "http2ConnectionError.Error"
},
{
"name": "http2ErrCode.String"
},
{
"name": "http2FrameHeader.String"
},
{
"name": "http2FrameType.String"
},
{
"name": "http2FrameWriteRequest.String"
},
{
"name": "http2Framer.ReadFrame"
},
{
"name": "http2Framer.WriteContinuation"
},
{
"name": "http2Framer.WriteData"
},
{
"name": "http2Framer.WriteDataPadded"
},
{
"name": "http2Framer.WriteGoAway"
},
{
"name": "http2Framer.WriteHeaders"
},
{
"name": "http2Framer.WritePing"
},
{
"name": "http2Framer.WritePriority"
},
{
"name": "http2Framer.WritePushPromise"
},
{
"name": "http2Framer.WriteRSTStream"
},
{
"name": "http2Framer.WriteRawFrame"
},
{
"name": "http2Framer.WriteSettings"
},
{
"name": "http2Framer.WriteSettingsAck"
},
{
"name": "http2Framer.WriteWindowUpdate"
},
{
"name": "http2GoAwayError.Error"
},
{
"name": "http2Server.ServeConn"
},
{
"name": "http2Setting.String"
},
{
"name": "http2SettingID.String"
},
{
"name": "http2SettingsFrame.ForeachSetting"
},
{
"name": "http2StreamError.Error"
},
{
"name": "http2Transport.CloseIdleConnections"
},
{
"name": "http2Transport.NewClientConn"
},
{
"name": "http2Transport.RoundTrip"
},
{
"name": "http2Transport.RoundTripOpt"
},
{
"name": "http2bufferedWriter.Flush"
},
{
"name": "http2bufferedWriter.Write"
},
{
"name": "http2chunkWriter.Write"
},
{
"name": "http2clientConnPool.GetClientConn"
},
{
"name": "http2connError.Error"
},
{
"name": "http2dataBuffer.Read"
},
{
"name": "http2duplicatePseudoHeaderError.Error"
},
{
"name": "http2gzipReader.Close"
},
{
"name": "http2gzipReader.Read"
},
{
"name": "http2headerFieldNameError.Error"
},
{
"name": "http2headerFieldValueError.Error"
},
{
"name": "http2noDialClientConnPool.GetClientConn"
},
{
"name": "http2noDialH2RoundTripper.RoundTrip"
},
{
"name": "http2pipe.Read"
},
{
"name": "http2priorityWriteScheduler.CloseStream"
},
{
"name": "http2priorityWriteScheduler.OpenStream"
},
{
"name": "http2pseudoHeaderError.Error"
},
{
"name": "http2requestBody.Close"
},
{
"name": "http2requestBody.Read"
},
{
"name": "http2responseWriter.Flush"
},
{
"name": "http2responseWriter.FlushError"
},
{
"name": "http2responseWriter.Push"
},
{
"name": "http2responseWriter.SetReadDeadline"
},
{
"name": "http2responseWriter.SetWriteDeadline"
},
{
"name": "http2responseWriter.Write"
},
{
"name": "http2responseWriter.WriteHeader"
},
{
"name": "http2responseWriter.WriteString"
},
{
"name": "http2roundRobinWriteScheduler.OpenStream"
},
{
"name": "http2serverConn.CloseConn"
},
{
"name": "http2serverConn.Flush"
},
{
"name": "http2stickyErrWriter.Write"
},
{
"name": "http2transportResponseBody.Close"
},
{
"name": "http2transportResponseBody.Read"
},
{
"name": "http2writeData.String"
},
{
"name": "initALPNRequest.ServeHTTP"
},
{
"name": "loggingConn.Close"
},
{
"name": "loggingConn.Read"
},
{
"name": "loggingConn.Write"
},
{
"name": "maxBytesReader.Close"
},
{
"name": "maxBytesReader.Read"
},
{
"name": "onceCloseListener.Close"
},
{
"name": "persistConn.Read"
},
{
"name": "persistConnWriter.ReadFrom"
},
{
"name": "persistConnWriter.Write"
},
{
"name": "populateResponse.Write"
},
{
"name": "populateResponse.WriteHeader"
},
{
"name": "readTrackingBody.Close"
},
{
"name": "readTrackingBody.Read"
},
{
"name": "readWriteCloserBody.Read"
},
{
"name": "redirectHandler.ServeHTTP"
},
{
"name": "response.Flush"
},
{
"name": "response.FlushError"
},
{
"name": "response.Hijack"
},
{
"name": "response.ReadFrom"
},
{
"name": "response.Write"
},
{
"name": "response.WriteHeader"
},
{
"name": "response.WriteString"
},
{
"name": "serverHandler.ServeHTTP"
},
{
"name": "socksDialer.DialWithConn"
},
{
"name": "socksUsernamePassword.Authenticate"
},
{
"name": "stringWriter.WriteString"
},
{
"name": "timeoutHandler.ServeHTTP"
},
{
"name": "timeoutWriter.Write"
},
{
"name": "timeoutWriter.WriteHeader"
},
{
"name": "transportReadFromServerError.Error"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.21.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.22.2",
"status": "affected",
"version": "1.22.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "Framer.readMetaFrame"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.Ping"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "ClientConn.Shutdown"
},
{
"name": "ConfigureServer"
},
{
"name": "ConfigureTransport"
},
{
"name": "ConfigureTransports"
},
{
"name": "ConnectionError.Error"
},
{
"name": "ErrCode.String"
},
{
"name": "FrameHeader.String"
},
{
"name": "FrameType.String"
},
{
"name": "FrameWriteRequest.String"
},
{
"name": "Framer.ReadFrame"
},
{
"name": "Framer.WriteContinuation"
},
{
"name": "Framer.WriteData"
},
{
"name": "Framer.WriteDataPadded"
},
{
"name": "Framer.WriteGoAway"
},
{
"name": "Framer.WriteHeaders"
},
{
"name": "Framer.WritePing"
},
{
"name": "Framer.WritePriority"
},
{
"name": "Framer.WritePushPromise"
},
{
"name": "Framer.WriteRSTStream"
},
{
"name": "Framer.WriteRawFrame"
},
{
"name": "Framer.WriteSettings"
},
{
"name": "Framer.WriteSettingsAck"
},
{
"name": "Framer.WriteWindowUpdate"
},
{
"name": "GoAwayError.Error"
},
{
"name": "ReadFrameHeader"
},
{
"name": "Server.ServeConn"
},
{
"name": "Setting.String"
},
{
"name": "SettingID.String"
},
{
"name": "SettingsFrame.ForeachSetting"
},
{
"name": "StreamError.Error"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "bufferedWriter.Flush"
},
{
"name": "bufferedWriter.Write"
},
{
"name": "chunkWriter.Write"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "connError.Error"
},
{
"name": "dataBuffer.Read"
},
{
"name": "duplicatePseudoHeaderError.Error"
},
{
"name": "gzipReader.Close"
},
{
"name": "gzipReader.Read"
},
{
"name": "headerFieldNameError.Error"
},
{
"name": "headerFieldValueError.Error"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "pipe.Read"
},
{
"name": "priorityWriteScheduler.CloseStream"
},
{
"name": "priorityWriteScheduler.OpenStream"
},
{
"name": "pseudoHeaderError.Error"
},
{
"name": "requestBody.Close"
},
{
"name": "requestBody.Read"
},
{
"name": "responseWriter.Flush"
},
{
"name": "responseWriter.FlushError"
},
{
"name": "responseWriter.Push"
},
{
"name": "responseWriter.SetReadDeadline"
},
{
"name": "responseWriter.SetWriteDeadline"
},
{
"name": "responseWriter.Write"
},
{
"name": "responseWriter.WriteHeader"
},
{
"name": "responseWriter.WriteString"
},
{
"name": "roundRobinWriteScheduler.OpenStream"
},
{
"name": "serverConn.CloseConn"
},
{
"name": "serverConn.Flush"
},
{
"name": "stickyErrWriter.Write"
},
{
"name": "transportResponseBody.Close"
},
{
"name": "transportResponseBody.Read"
},
{
"name": "writeData.String"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.23.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bartek Nowotarski (https://nowotarski.info/)"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:10:07.754Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/65051"
},
{
"url": "https://go.dev/cl/576155"
},
{
"url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-2687"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
}
],
"title": "HTTP/2 CONTINUATION flood in net/http"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-45288",
"datePublished": "2024-04-04T20:37:30.714Z",
"dateReserved": "2023-10-06T17:06:26.221Z",
"dateUpdated": "2025-11-04T18:17:43.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-39325 (GCVE-0-2023-39325)
Vulnerability from nvd – Published: 2023-10-11 21:15 – Updated: 2025-02-13 17:02
VLAI
Title
HTTP/2 rapid reset can cause excessive work in net/http
Summary
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Severity
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
43 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.20.10
(semver)
Affected: 1.21.0-0 , < 1.21.3 (semver) |
|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.17.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/63417"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/534215"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/534235"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "http2serverConn.serve"
},
{
"name": "http2serverConn.processHeaders"
},
{
"name": "http2serverConn.upgradeRequest"
},
{
"name": "http2serverConn.runHandler"
},
{
"name": "ListenAndServe"
},
{
"name": "ListenAndServeTLS"
},
{
"name": "Serve"
},
{
"name": "ServeTLS"
},
{
"name": "Server.ListenAndServe"
},
{
"name": "Server.ListenAndServeTLS"
},
{
"name": "Server.Serve"
},
{
"name": "Server.ServeTLS"
},
{
"name": "http2Server.ServeConn"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.20.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.21.3",
"status": "affected",
"version": "1.21.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "serverConn.serve"
},
{
"name": "serverConn.processHeaders"
},
{
"name": "serverConn.upgradeRequest"
},
{
"name": "serverConn.runHandler"
},
{
"name": "Server.ServeConn"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-28T04:05:57.980Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/63417"
},
{
"url": "https://go.dev/cl/534215"
},
{
"url": "https://go.dev/cl/534235"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
}
],
"title": "HTTP/2 rapid reset can cause excessive work in net/http"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-39325",
"datePublished": "2023-10-11T21:15:02.727Z",
"dateReserved": "2023-07-27T17:05:55.188Z",
"dateUpdated": "2025-02-13T17:02:50.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-27136 (GCVE-0-2026-27136)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 16:59
VLAI
Title
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T16:59:35.355098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T16:59:52.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ensy"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:22.111Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79575"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781685"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5030"
}
],
"title": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27136",
"datePublished": "2026-05-22T15:01:22.111Z",
"dateReserved": "2026-02-17T19:57:28.434Z",
"dateUpdated": "2026-05-22T16:59:52.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25681 (GCVE-0-2026-25681)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:46
VLAI
Title
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:46:00.775026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:46:20.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ensy"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.975Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79574"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781703"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5029"
}
],
"title": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-25681",
"datePublished": "2026-05-22T15:01:21.975Z",
"dateReserved": "2026-02-05T01:35:43.738Z",
"dateUpdated": "2026-05-22T17:46:20.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25680 (GCVE-0-2026-25680)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:00
VLAI
Title
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
Summary
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:00:30.926552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:00:35.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "IPC Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.805Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/781702"
},
{
"url": "https://go.dev/issue/79573"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5028"
}
],
"title": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-25680",
"datePublished": "2026-05-22T15:01:21.805Z",
"dateReserved": "2026-02-05T01:35:43.737Z",
"dateUpdated": "2026-05-22T17:00:35.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42502 (GCVE-0-2026-42502)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:17
VLAI
Title
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:16:33.414557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:17:20.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tristan Madani"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.649Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79572"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781701"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5027"
}
],
"title": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42502",
"datePublished": "2026-05-22T15:01:21.649Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-05-22T17:17:20.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39821 (GCVE-0-2026-39821)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-06-30 03:15
VLAI
Title
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
Summary
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Severity
9.6 (Critical)
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
21 references
Impacted products
81 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39821",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T03:55:58.522682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:13:15.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.10::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.9::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.8::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:assisted_installer:2"
],
"defaultStatus": "affected",
"product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_builds:1"
],
"defaultStatus": "affected",
"product": "Builds for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cert_manager:1"
],
"defaultStatus": "affected",
"product": "cert-manager Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_compliance_operator:1"
],
"defaultStatus": "affected",
"product": "Compliance Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:deployment_validator_operator"
],
"defaultStatus": "affected",
"product": "Deployment Validation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:external_secrets_operator:1"
],
"defaultStatus": "affected",
"product": "External Secrets Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_far:0"
],
"defaultStatus": "affected",
"product": "Fence Agents Remediation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "affected",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lvms:4"
],
"defaultStatus": "affected",
"product": "Logical Volume Manager Storage",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_mdr:0"
],
"defaultStatus": "affected",
"product": "Machine Deletion Remediation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multiarch_tuning_operator"
],
"defaultStatus": "affected",
"product": "Multiarch Tuning Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "affected",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_power_monitoring"
],
"defaultStatus": "affected",
"product": "Power monitoring for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_3scale_amp:2"
],
"defaultStatus": "affected",
"product": "Red Hat 3scale API Management Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:8"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:certifications:9"
],
"defaultStatus": "affected",
"product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lightspeed_for_runtimes:1"
],
"defaultStatus": "affected",
"product": "Red Hat Lightspeed for Runtimes Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_cluster_manager_cli:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Cluster Manager CLI",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:devworkspace"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Workspaces Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:windows_machine_config"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift for Windows Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_service_on_aws:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift on AWS",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:webterminal:1"
],
"defaultStatus": "affected",
"product": "Red Hat Web Terminal",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_security_profiles_operator:1"
],
"defaultStatus": "affected",
"product": "Security Profiles Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:3"
],
"defaultStatus": "affected",
"product": "streams for Apache Kafka 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:1"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:0"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:2"
],
"defaultStatus": "unaffected",
"product": "Red Hat Service Interconnect 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-22T15:01:21.462Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the `idna` package, specifically within the `golang.org/x/net/idna` component. This vulnerability allows for privilege escalation due to incorrect processing of Punycode-encoded labels. An attacker could craft a malicious Punycode label that, when initially checked, appears safe but then decodes to a restricted ASCII hostname, bypassing security controls and gaining unauthorized access."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:15:52.607Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"name": "RHBZ#2480756",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39821.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30855"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30853"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30854"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30651"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26547"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26546"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23262"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23264"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33183"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30650"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:30855: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:30853: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:30854: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13"
},
{
"lang": "en",
"value": "RHSA-2026:26547: Red Hat Advanced Cluster Security for Kubernetes 4.10"
},
{
"lang": "en",
"value": "RHSA-2026:26546: Red Hat Advanced Cluster Security for Kubernetes 4.9"
},
{
"lang": "en",
"value": "RHSA-2026:23262: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:23264: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:33160: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30650: multicluster engine for Kubernetes 2.8"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T16:00:52.844Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-22T15:01:21.462Z",
"value": "Made public."
}
],
"title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/idna",
"product": "golang.org/x/net/idna",
"programRoutines": [
{
"name": "Profile.process"
},
{
"name": "Profile.ToASCII"
},
{
"name": "Profile.ToUnicode"
},
{
"name": "ToASCII"
},
{
"name": "ToUnicode"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "KC1zs4 (https://github.com/KC1zs4)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\"."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.462Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/767220"
},
{
"url": "https://go.dev/issue/78760"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5026"
}
],
"title": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39821",
"datePublished": "2026-05-22T15:01:21.462Z",
"dateReserved": "2026-04-07T18:13:03.526Z",
"dateUpdated": "2026-06-30T03:15:52.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42506 (GCVE-0-2026-42506)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:45
VLAI
Title
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
Summary
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.55.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T17:45:29.886387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:45:49.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.55.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ensy"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:01:21.056Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79571"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"url": "https://go.dev/cl/781700"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5025"
}
],
"title": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42506",
"datePublished": "2026-05-22T15:01:21.056Z",
"dateReserved": "2026-04-28T00:21:12.792Z",
"dateUpdated": "2026-05-22T17:45:49.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33814 (GCVE-0-2026-33814)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-06-30 03:15
VLAI
Title
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
Summary
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
14 references
| URL | Tags |
|---|---|
| https://go.dev/cl/761581 | |
| https://go.dev/cl/761640 | |
| https://go.dev/issue/78476 | |
| https://groups.google.com/g/golang-announce/c/qcC… | |
| https://pkg.go.dev/vuln/GO-2026-4918 | |
| https://access.redhat.com/security/cve/CVE-2026-33814 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2467815 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:23262 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:23264 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33120 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33123 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33142 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33150 | vendor-advisoryx_refsource_REDHAT |
Impacted products
14 products
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.53.0
(semver)
|
|
| Go standard library | net/http |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.0 |
cpe:/a:redhat:service_mesh:3.0::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.1 |
cpe:/a:redhat:service_mesh:3.1::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.2 |
cpe:/a:redhat:service_mesh:3.2::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.3 |
cpe:/a:redhat:service_mesh:3.3::el9 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat OpenShift Virtualization 4 |
cpe:/a:redhat:container_native_virtualization:4 |
|
| Red Hat | OpenShift Service Mesh 2 |
cpe:/a:redhat:service_mesh:2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T18:00:53.951676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T18:01:02.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T19:41:17.631Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the HTTP/2 protocol implementation within the Go standard library (golang.org/x/net and net/http/internal/http2). A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGS_MAX_FRAME_SIZE parameter set to zero. This malicious frame causes the transport layer to enter an infinite loop of writing CONTINUATION frames, leading to resource exhaustion and a Denial of Service (DoS) condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-606",
"description": "Unchecked Input for Loop Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:15:53.495Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-33814"
},
{
"name": "RHBZ#2467815",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467815"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23262"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23264"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:23262: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:23264: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T20:01:11.324Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T19:41:17.631Z",
"value": "Made public."
}
],
"title": "net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "clientConnReadLoop.processSettingsNoWrite"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.NewClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "unencryptedTransport.RoundTrip"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.53.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "http2clientConnReadLoop.processSettingsNoWrite"
},
{
"name": "Client.CloseIdleConnections"
},
{
"name": "Client.Do"
},
{
"name": "Client.Get"
},
{
"name": "Client.Head"
},
{
"name": "Client.Post"
},
{
"name": "Client.PostForm"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "Get"
},
{
"name": "Head"
},
{
"name": "Post"
},
{
"name": "PostForm"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "http1ClientConn.Close"
},
{
"name": "http1ClientConn.RoundTrip"
},
{
"name": "http2Transport.NewClientConn"
},
{
"name": "http2Transport.RoundTrip"
},
{
"name": "http2Transport.RoundTripOpt"
},
{
"name": "http2clientConnPool.GetClientConn"
},
{
"name": "http2noDialClientConnPool.GetClientConn"
},
{
"name": "http2noDialH2RoundTripper.NewClientConn"
},
{
"name": "http2noDialH2RoundTripper.RoundTrip"
},
{
"name": "http2unencryptedTransport.RoundTrip"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marwan Atia (marwansamir688@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"value": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:17.631Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/761581"
},
{
"url": "https://go.dev/cl/761640"
},
{
"url": "https://go.dev/issue/78476"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4918"
}
],
"title": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33814",
"datePublished": "2026-05-07T19:41:17.631Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-06-30T03:15:53.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27141 (GCVE-0-2026-27141)
Vulnerability from cvelistv5 – Published: 2026-02-26 18:50 – Updated: 2026-02-27 19:11
VLAI
Title
Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net
Summary
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0.50.0 , < 0.51.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T19:11:24.117207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:11:57.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "typeFrameParser"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.Ping"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "ClientConn.Shutdown"
},
{
"name": "ConfigureServer"
},
{
"name": "ConfigureTransport"
},
{
"name": "ConfigureTransports"
},
{
"name": "ConnectionError.Error"
},
{
"name": "ErrCode.String"
},
{
"name": "FrameHeader.String"
},
{
"name": "FrameType.String"
},
{
"name": "FrameWriteRequest.String"
},
{
"name": "Framer.ReadFrame"
},
{
"name": "Framer.ReadFrameForHeader"
},
{
"name": "Framer.ReadFrameHeader"
},
{
"name": "Framer.WriteContinuation"
},
{
"name": "Framer.WriteData"
},
{
"name": "Framer.WriteDataPadded"
},
{
"name": "Framer.WriteGoAway"
},
{
"name": "Framer.WriteHeaders"
},
{
"name": "Framer.WritePing"
},
{
"name": "Framer.WritePriority"
},
{
"name": "Framer.WritePriorityUpdate"
},
{
"name": "Framer.WritePushPromise"
},
{
"name": "Framer.WriteRSTStream"
},
{
"name": "Framer.WriteRawFrame"
},
{
"name": "Framer.WriteSettings"
},
{
"name": "Framer.WriteSettingsAck"
},
{
"name": "Framer.WriteWindowUpdate"
},
{
"name": "GoAwayError.Error"
},
{
"name": "ReadFrameHeader"
},
{
"name": "Server.ServeConn"
},
{
"name": "Setting.String"
},
{
"name": "SettingID.String"
},
{
"name": "SettingsFrame.ForeachSetting"
},
{
"name": "StreamError.Error"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "bufferedWriter.Flush"
},
{
"name": "bufferedWriter.Write"
},
{
"name": "bufferedWriterTimeoutWriter.Write"
},
{
"name": "chunkWriter.Write"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "connError.Error"
},
{
"name": "dataBuffer.Read"
},
{
"name": "duplicatePseudoHeaderError.Error"
},
{
"name": "gzipReader.Close"
},
{
"name": "gzipReader.Read"
},
{
"name": "headerFieldNameError.Error"
},
{
"name": "headerFieldValueError.Error"
},
{
"name": "netHTTPClientConn.Close"
},
{
"name": "netHTTPClientConn.RoundTrip"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.NewClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "pipe.Read"
},
{
"name": "priorityWriteSchedulerRFC7540.CloseStream"
},
{
"name": "priorityWriteSchedulerRFC7540.OpenStream"
},
{
"name": "priorityWriteSchedulerRFC9218.OpenStream"
},
{
"name": "pseudoHeaderError.Error"
},
{
"name": "requestBody.Close"
},
{
"name": "requestBody.Read"
},
{
"name": "responseWriter.Flush"
},
{
"name": "responseWriter.FlushError"
},
{
"name": "responseWriter.Push"
},
{
"name": "responseWriter.SetReadDeadline"
},
{
"name": "responseWriter.SetWriteDeadline"
},
{
"name": "responseWriter.Write"
},
{
"name": "responseWriter.WriteHeader"
},
{
"name": "responseWriter.WriteString"
},
{
"name": "roundRobinWriteScheduler.OpenStream"
},
{
"name": "serverConn.CloseConn"
},
{
"name": "serverConn.Flush"
},
{
"name": "stickyErrWriter.Write"
},
{
"name": "transportResponseBody.Close"
},
{
"name": "transportResponseBody.Read"
},
{
"name": "unencryptedTransport.RoundTrip"
},
{
"name": "writeData.String"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.51.0",
"status": "affected",
"version": "0.50.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:50:31.830Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"
},
{
"url": "https://go.dev/cl/746180"
},
{
"url": "https://go.dev/issue/77652"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4559"
}
],
"title": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27141",
"datePublished": "2026-02-26T18:50:31.830Z",
"dateReserved": "2026-02-17T19:57:28.435Z",
"dateUpdated": "2026-02-27T19:11:57.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58190 (GCVE-0-2025-58190)
Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:22
VLAI
Title
Infinite parsing loop in golang.org/x/net
Summary
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with Unreachable Exit Condition
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.45.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T15:22:10.801204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T15:22:37.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "inRowIM"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.45.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
}
],
"descriptions": [
{
"lang": "en",
"value": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-835: Loop with Unreachable Exit Condition",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T17:48:44.693Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
},
{
"url": "https://github.com/golang/vulndb/issues/4441"
},
{
"url": "https://go.dev/cl/709875"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4441"
}
],
"title": "Infinite parsing loop in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58190",
"datePublished": "2026-02-05T17:48:44.693Z",
"dateReserved": "2025-08-27T14:50:58.692Z",
"dateUpdated": "2026-02-12T15:22:37.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47911 (GCVE-0-2025-47911)
Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:23
VLAI
Title
Quadratic parsing complexity in golang.org/x/net/html
Summary
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.45.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T15:23:40.307728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T15:23:55.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parser.parse"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.45.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
},
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T17:48:44.562Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/709876"
},
{
"url": "https://github.com/golang/vulndb/issues/4440"
},
{
"url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4440"
}
],
"title": "Quadratic parsing complexity in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-47911",
"datePublished": "2026-02-05T17:48:44.562Z",
"dateReserved": "2025-05-13T23:31:29.597Z",
"dateUpdated": "2026-02-12T15:23:55.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22872 (GCVE-0-2025-22872)
Vulnerability from cvelistv5 – Published: 2025-04-16 17:13 – Updated: 2025-05-16 23:03
VLAI
Title
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
Summary
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.38.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T20:14:29.607584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T20:15:13.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-16T23:03:07.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250516-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "Tokenizer.readStartTag"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
},
{
"name": "Tokenizer.Next"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.38.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sean Ng (https://ensy.zip)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T17:13:02.550Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/662715"
},
{
"url": "https://go.dev/issue/73070"
},
{
"url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3595"
}
],
"title": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-22872",
"datePublished": "2025-04-16T17:13:02.550Z",
"dateReserved": "2025-01-08T19:11:42.834Z",
"dateUpdated": "2025-05-16T23:03:07.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22870 (GCVE-0-2025-22870)
Vulnerability from cvelistv5 – Published: 2025-03-12 18:27 – Updated: 2026-04-16 22:39
VLAI
Title
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Summary
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-115 Misinterpretation of Input
- CWE-115 - Misinterpretation of Input
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.23.7
(semver)
Affected: 1.24.0-0 , < 1.24.1 (semver) |
|
| golang.org/x/net | golang.org/x/net/http/httpproxy |
Affected:
0 , < 0.36.0
(semver)
|
|
| golang.org/x/net | golang.org/x/net/proxy |
Affected:
0 , < 0.36.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-09T20:03:37.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/07/2"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250509-0007/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:31:16.493335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115 Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:32:14.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "envProxyFunc"
},
{
"name": "ProxyFromEnvironment"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.23.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.24.1",
"status": "affected",
"version": "1.24.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http/httpproxy",
"product": "golang.org/x/net/http/httpproxy",
"programRoutines": [
{
"name": "config.useProxy"
},
{
"name": "domainMatch.match"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.36.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/proxy",
"product": "golang.org/x/net/proxy",
"programRoutines": [
{
"name": "PerHost.dialerForRequest"
},
{
"name": "PerHost.AddFromString"
},
{
"name": "Dial"
},
{
"name": "FromEnvironment"
},
{
"name": "FromEnvironmentUsing"
},
{
"name": "PerHost.Dial"
},
{
"name": "PerHost.DialContext"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.36.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Fors\u00e9n of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-115 Misinterpretation of Input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T22:39:33.619Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/654697"
},
{
"url": "https://go.dev/issue/71984"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3503"
}
],
"title": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-22870",
"datePublished": "2025-03-12T18:27:59.376Z",
"dateReserved": "2025-01-08T19:11:42.834Z",
"dateUpdated": "2026-04-16T22:39:33.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45338 (GCVE-0-2024-45338)
Vulnerability from cvelistv5 – Published: 2024-12-18 20:38 – Updated: 2025-02-21 18:03
VLAI
Title
Non-linear parsing of case-insensitive content in golang.org/x/net/html
Summary
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.33.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T19:51:42.228627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T19:55:04.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-21T18:03:32.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250221-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parseDoctype"
},
{
"name": "htmlIntegrationPoint"
},
{
"name": "inTableIM"
},
{
"name": "inBodyIM"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.33.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T20:38:22.660Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/637536"
},
{
"url": "https://go.dev/issue/70906"
},
{
"url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-3333"
}
],
"title": "Non-linear parsing of case-insensitive content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-45338",
"datePublished": "2024-12-18T20:38:22.660Z",
"dateReserved": "2024-08-27T19:41:58.555Z",
"dateUpdated": "2025-02-21T18:03:32.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45288 (GCVE-0-2023-45288)
Vulnerability from cvelistv5 – Published: 2024-04-04 20:37 – Updated: 2025-11-04 18:17
VLAI
Title
HTTP/2 CONTINUATION flood in net/http
Summary
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
9 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.21.9
(semver)
Affected: 1.22.0-0 , < 1.22.2 (semver) |
|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.23.0
(semver)
|
|
| go_standard_library | net\/http |
Affected:
0 , < 1.21.9
(custom)
Affected: 1.22.0-0 , < 1.22.2 (custom) cpe:2.3:a:go_standard_library:net\/http:*:*:*:*:*:*:*:* |
|
| golang | http2 |
Affected:
0 , < 0.23.0
(custom)
cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:17:43.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/65051"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/576155"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2024-2687"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
},
{
"url": "https://www.kb.cert.org/vuls/id/421644"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:go_standard_library:net\\/http:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "net\\/http",
"vendor": "go_standard_library",
"versions": [
{
"lessThan": "1.21.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.22.2",
"status": "affected",
"version": "1.22.0-0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "http2",
"vendor": "golang",
"versions": [
{
"lessThan": "0.23.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-05T17:08:42.212936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:40:01.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "http2Framer.readMetaFrame"
},
{
"name": "CanonicalHeaderKey"
},
{
"name": "Client.CloseIdleConnections"
},
{
"name": "Client.Do"
},
{
"name": "Client.Get"
},
{
"name": "Client.Head"
},
{
"name": "Client.Post"
},
{
"name": "Client.PostForm"
},
{
"name": "Cookie.String"
},
{
"name": "Cookie.Valid"
},
{
"name": "Dir.Open"
},
{
"name": "Error"
},
{
"name": "Get"
},
{
"name": "HandlerFunc.ServeHTTP"
},
{
"name": "Head"
},
{
"name": "Header.Add"
},
{
"name": "Header.Del"
},
{
"name": "Header.Get"
},
{
"name": "Header.Set"
},
{
"name": "Header.Values"
},
{
"name": "Header.Write"
},
{
"name": "Header.WriteSubset"
},
{
"name": "ListenAndServe"
},
{
"name": "ListenAndServeTLS"
},
{
"name": "NewRequest"
},
{
"name": "NewRequestWithContext"
},
{
"name": "NotFound"
},
{
"name": "ParseTime"
},
{
"name": "Post"
},
{
"name": "PostForm"
},
{
"name": "ProxyFromEnvironment"
},
{
"name": "ReadRequest"
},
{
"name": "ReadResponse"
},
{
"name": "Redirect"
},
{
"name": "Request.AddCookie"
},
{
"name": "Request.BasicAuth"
},
{
"name": "Request.FormFile"
},
{
"name": "Request.FormValue"
},
{
"name": "Request.MultipartReader"
},
{
"name": "Request.ParseForm"
},
{
"name": "Request.ParseMultipartForm"
},
{
"name": "Request.PostFormValue"
},
{
"name": "Request.Referer"
},
{
"name": "Request.SetBasicAuth"
},
{
"name": "Request.UserAgent"
},
{
"name": "Request.Write"
},
{
"name": "Request.WriteProxy"
},
{
"name": "Response.Cookies"
},
{
"name": "Response.Location"
},
{
"name": "Response.Write"
},
{
"name": "ResponseController.EnableFullDuplex"
},
{
"name": "ResponseController.Flush"
},
{
"name": "ResponseController.Hijack"
},
{
"name": "ResponseController.SetReadDeadline"
},
{
"name": "ResponseController.SetWriteDeadline"
},
{
"name": "Serve"
},
{
"name": "ServeContent"
},
{
"name": "ServeFile"
},
{
"name": "ServeMux.ServeHTTP"
},
{
"name": "ServeTLS"
},
{
"name": "Server.Close"
},
{
"name": "Server.ListenAndServe"
},
{
"name": "Server.ListenAndServeTLS"
},
{
"name": "Server.Serve"
},
{
"name": "Server.ServeTLS"
},
{
"name": "Server.SetKeepAlivesEnabled"
},
{
"name": "Server.Shutdown"
},
{
"name": "SetCookie"
},
{
"name": "Transport.CancelRequest"
},
{
"name": "Transport.Clone"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "body.Close"
},
{
"name": "body.Read"
},
{
"name": "bodyEOFSignal.Close"
},
{
"name": "bodyEOFSignal.Read"
},
{
"name": "bodyLocked.Read"
},
{
"name": "bufioFlushWriter.Write"
},
{
"name": "cancelTimerBody.Close"
},
{
"name": "cancelTimerBody.Read"
},
{
"name": "checkConnErrorWriter.Write"
},
{
"name": "chunkWriter.Write"
},
{
"name": "connReader.Read"
},
{
"name": "connectMethodKey.String"
},
{
"name": "expectContinueReader.Close"
},
{
"name": "expectContinueReader.Read"
},
{
"name": "extraHeader.Write"
},
{
"name": "fileHandler.ServeHTTP"
},
{
"name": "fileTransport.RoundTrip"
},
{
"name": "globalOptionsHandler.ServeHTTP"
},
{
"name": "gzipReader.Close"
},
{
"name": "gzipReader.Read"
},
{
"name": "http2ClientConn.Close"
},
{
"name": "http2ClientConn.Ping"
},
{
"name": "http2ClientConn.RoundTrip"
},
{
"name": "http2ClientConn.Shutdown"
},
{
"name": "http2ConnectionError.Error"
},
{
"name": "http2ErrCode.String"
},
{
"name": "http2FrameHeader.String"
},
{
"name": "http2FrameType.String"
},
{
"name": "http2FrameWriteRequest.String"
},
{
"name": "http2Framer.ReadFrame"
},
{
"name": "http2Framer.WriteContinuation"
},
{
"name": "http2Framer.WriteData"
},
{
"name": "http2Framer.WriteDataPadded"
},
{
"name": "http2Framer.WriteGoAway"
},
{
"name": "http2Framer.WriteHeaders"
},
{
"name": "http2Framer.WritePing"
},
{
"name": "http2Framer.WritePriority"
},
{
"name": "http2Framer.WritePushPromise"
},
{
"name": "http2Framer.WriteRSTStream"
},
{
"name": "http2Framer.WriteRawFrame"
},
{
"name": "http2Framer.WriteSettings"
},
{
"name": "http2Framer.WriteSettingsAck"
},
{
"name": "http2Framer.WriteWindowUpdate"
},
{
"name": "http2GoAwayError.Error"
},
{
"name": "http2Server.ServeConn"
},
{
"name": "http2Setting.String"
},
{
"name": "http2SettingID.String"
},
{
"name": "http2SettingsFrame.ForeachSetting"
},
{
"name": "http2StreamError.Error"
},
{
"name": "http2Transport.CloseIdleConnections"
},
{
"name": "http2Transport.NewClientConn"
},
{
"name": "http2Transport.RoundTrip"
},
{
"name": "http2Transport.RoundTripOpt"
},
{
"name": "http2bufferedWriter.Flush"
},
{
"name": "http2bufferedWriter.Write"
},
{
"name": "http2chunkWriter.Write"
},
{
"name": "http2clientConnPool.GetClientConn"
},
{
"name": "http2connError.Error"
},
{
"name": "http2dataBuffer.Read"
},
{
"name": "http2duplicatePseudoHeaderError.Error"
},
{
"name": "http2gzipReader.Close"
},
{
"name": "http2gzipReader.Read"
},
{
"name": "http2headerFieldNameError.Error"
},
{
"name": "http2headerFieldValueError.Error"
},
{
"name": "http2noDialClientConnPool.GetClientConn"
},
{
"name": "http2noDialH2RoundTripper.RoundTrip"
},
{
"name": "http2pipe.Read"
},
{
"name": "http2priorityWriteScheduler.CloseStream"
},
{
"name": "http2priorityWriteScheduler.OpenStream"
},
{
"name": "http2pseudoHeaderError.Error"
},
{
"name": "http2requestBody.Close"
},
{
"name": "http2requestBody.Read"
},
{
"name": "http2responseWriter.Flush"
},
{
"name": "http2responseWriter.FlushError"
},
{
"name": "http2responseWriter.Push"
},
{
"name": "http2responseWriter.SetReadDeadline"
},
{
"name": "http2responseWriter.SetWriteDeadline"
},
{
"name": "http2responseWriter.Write"
},
{
"name": "http2responseWriter.WriteHeader"
},
{
"name": "http2responseWriter.WriteString"
},
{
"name": "http2roundRobinWriteScheduler.OpenStream"
},
{
"name": "http2serverConn.CloseConn"
},
{
"name": "http2serverConn.Flush"
},
{
"name": "http2stickyErrWriter.Write"
},
{
"name": "http2transportResponseBody.Close"
},
{
"name": "http2transportResponseBody.Read"
},
{
"name": "http2writeData.String"
},
{
"name": "initALPNRequest.ServeHTTP"
},
{
"name": "loggingConn.Close"
},
{
"name": "loggingConn.Read"
},
{
"name": "loggingConn.Write"
},
{
"name": "maxBytesReader.Close"
},
{
"name": "maxBytesReader.Read"
},
{
"name": "onceCloseListener.Close"
},
{
"name": "persistConn.Read"
},
{
"name": "persistConnWriter.ReadFrom"
},
{
"name": "persistConnWriter.Write"
},
{
"name": "populateResponse.Write"
},
{
"name": "populateResponse.WriteHeader"
},
{
"name": "readTrackingBody.Close"
},
{
"name": "readTrackingBody.Read"
},
{
"name": "readWriteCloserBody.Read"
},
{
"name": "redirectHandler.ServeHTTP"
},
{
"name": "response.Flush"
},
{
"name": "response.FlushError"
},
{
"name": "response.Hijack"
},
{
"name": "response.ReadFrom"
},
{
"name": "response.Write"
},
{
"name": "response.WriteHeader"
},
{
"name": "response.WriteString"
},
{
"name": "serverHandler.ServeHTTP"
},
{
"name": "socksDialer.DialWithConn"
},
{
"name": "socksUsernamePassword.Authenticate"
},
{
"name": "stringWriter.WriteString"
},
{
"name": "timeoutHandler.ServeHTTP"
},
{
"name": "timeoutWriter.Write"
},
{
"name": "timeoutWriter.WriteHeader"
},
{
"name": "transportReadFromServerError.Error"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.21.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.22.2",
"status": "affected",
"version": "1.22.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "Framer.readMetaFrame"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.Ping"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "ClientConn.Shutdown"
},
{
"name": "ConfigureServer"
},
{
"name": "ConfigureTransport"
},
{
"name": "ConfigureTransports"
},
{
"name": "ConnectionError.Error"
},
{
"name": "ErrCode.String"
},
{
"name": "FrameHeader.String"
},
{
"name": "FrameType.String"
},
{
"name": "FrameWriteRequest.String"
},
{
"name": "Framer.ReadFrame"
},
{
"name": "Framer.WriteContinuation"
},
{
"name": "Framer.WriteData"
},
{
"name": "Framer.WriteDataPadded"
},
{
"name": "Framer.WriteGoAway"
},
{
"name": "Framer.WriteHeaders"
},
{
"name": "Framer.WritePing"
},
{
"name": "Framer.WritePriority"
},
{
"name": "Framer.WritePushPromise"
},
{
"name": "Framer.WriteRSTStream"
},
{
"name": "Framer.WriteRawFrame"
},
{
"name": "Framer.WriteSettings"
},
{
"name": "Framer.WriteSettingsAck"
},
{
"name": "Framer.WriteWindowUpdate"
},
{
"name": "GoAwayError.Error"
},
{
"name": "ReadFrameHeader"
},
{
"name": "Server.ServeConn"
},
{
"name": "Setting.String"
},
{
"name": "SettingID.String"
},
{
"name": "SettingsFrame.ForeachSetting"
},
{
"name": "StreamError.Error"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "bufferedWriter.Flush"
},
{
"name": "bufferedWriter.Write"
},
{
"name": "chunkWriter.Write"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "connError.Error"
},
{
"name": "dataBuffer.Read"
},
{
"name": "duplicatePseudoHeaderError.Error"
},
{
"name": "gzipReader.Close"
},
{
"name": "gzipReader.Read"
},
{
"name": "headerFieldNameError.Error"
},
{
"name": "headerFieldValueError.Error"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "pipe.Read"
},
{
"name": "priorityWriteScheduler.CloseStream"
},
{
"name": "priorityWriteScheduler.OpenStream"
},
{
"name": "pseudoHeaderError.Error"
},
{
"name": "requestBody.Close"
},
{
"name": "requestBody.Read"
},
{
"name": "responseWriter.Flush"
},
{
"name": "responseWriter.FlushError"
},
{
"name": "responseWriter.Push"
},
{
"name": "responseWriter.SetReadDeadline"
},
{
"name": "responseWriter.SetWriteDeadline"
},
{
"name": "responseWriter.Write"
},
{
"name": "responseWriter.WriteHeader"
},
{
"name": "responseWriter.WriteString"
},
{
"name": "roundRobinWriteScheduler.OpenStream"
},
{
"name": "serverConn.CloseConn"
},
{
"name": "serverConn.Flush"
},
{
"name": "stickyErrWriter.Write"
},
{
"name": "transportResponseBody.Close"
},
{
"name": "transportResponseBody.Read"
},
{
"name": "writeData.String"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.23.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bartek Nowotarski (https://nowotarski.info/)"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:10:07.754Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/65051"
},
{
"url": "https://go.dev/cl/576155"
},
{
"url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-2687"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
}
],
"title": "HTTP/2 CONTINUATION flood in net/http"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-45288",
"datePublished": "2024-04-04T20:37:30.714Z",
"dateReserved": "2023-10-06T17:06:26.221Z",
"dateUpdated": "2025-11-04T18:17:43.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-39325 (GCVE-0-2023-39325)
Vulnerability from cvelistv5 – Published: 2023-10-11 21:15 – Updated: 2025-02-13 17:02
VLAI
Title
HTTP/2 rapid reset can cause excessive work in net/http
Summary
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Severity
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
43 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.20.10
(semver)
Affected: 1.21.0-0 , < 1.21.3 (semver) |
|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.17.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/63417"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/534215"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/534235"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "http2serverConn.serve"
},
{
"name": "http2serverConn.processHeaders"
},
{
"name": "http2serverConn.upgradeRequest"
},
{
"name": "http2serverConn.runHandler"
},
{
"name": "ListenAndServe"
},
{
"name": "ListenAndServeTLS"
},
{
"name": "Serve"
},
{
"name": "ServeTLS"
},
{
"name": "Server.ListenAndServe"
},
{
"name": "Server.ListenAndServeTLS"
},
{
"name": "Server.Serve"
},
{
"name": "Server.ServeTLS"
},
{
"name": "http2Server.ServeConn"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.20.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.21.3",
"status": "affected",
"version": "1.21.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "serverConn.serve"
},
{
"name": "serverConn.processHeaders"
},
{
"name": "serverConn.upgradeRequest"
},
{
"name": "serverConn.runHandler"
},
{
"name": "Server.ServeConn"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.17.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-28T04:05:57.980Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/63417"
},
{
"url": "https://go.dev/cl/534215"
},
{
"url": "https://go.dev/cl/534235"
},
{
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
}
],
"title": "HTTP/2 rapid reset can cause excessive work in net/http"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-39325",
"datePublished": "2023-10-11T21:15:02.727Z",
"dateReserved": "2023-07-27T17:05:55.188Z",
"dateUpdated": "2025-02-13T17:02:50.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}