Primary

Context

Golang HTML Parser Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in the HTML parsing component of the Golang x/net package, prior to version 0.55.0. The issue arises from a cubic complexity algorithm used during the construction of the HTML tree, which can lead to excessive CPU consumption when parsing arbitrary HTML. This vulnerability was reported by IPC Labs.

Impact

Exploitation of this vulnerability can cause excessive CPU usage, potentially leading to a denial-of-service condition.

Remediation

Users can upgrade to Golang x/net version 0.55.0 or later to address this vulnerability.

Added: May 26, 2026, 3:51 PM

Updated: May 26, 2026, 3:51 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

0.0

relevance

9.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

0.0

relevance

9.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Golang HTML Parser Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Go

golang.org/x/net/html

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating