Golang HTML Package Quadratic Parsing Complexity Leading to Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the HTML parsing functions of the golang.org/x/net/html package, prior to version 0.45.0. The issue arises from quadratic parsing complexity when handling certain inputs, allowing an attacker to cause significant slowdowns or even induce infinite loops by providing specially crafted HTML content. This vulnerability affects programs that parse untrusted HTML documents.

Impact

Exploitation of this vulnerability can cause significant performance degradation, with the parser taking an excessively long time to process certain HTML inputs or potentially entering an infinite loop, never completing the parsing operation.

Remediation

Users can update to golang.org/x/net version 0.45.0 or later, where this vulnerability has been addressed by imposing a depth limit of 512 for nested HTML tags, preventing the parser from being exploited with specially crafted documents.