CVE-2025-58190

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/golang/vulndb/issues/4441	Exploit Issue Tracking
https://go.dev/cl/709875	Patch
https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c	Mailing List Third Party Advisory
https://pkg.go.dev/vuln/GO-2026-4441	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:go:html:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-02-05 18:16

Updated : 2026-02-18 17:46

NVD link : CVE-2025-58190

Mitre link : CVE-2025-58190

CVE.ORG link : CVE-2025-58190

JSON object : View

Products Affected

go

html

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

{"id": "CVE-2025-58190", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-02-05T18:16:10.027", "references": [{"url": "https://github.com/golang/vulndb/issues/4441", "tags": ["Exploit", "Issue Tracking"], "source": "security@golang.org"}, {"url": "https://go.dev/cl/709875", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4441", "tags": ["Vendor Advisory"], "source": "security@golang.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."}, {"lang": "es", "value": "La funci\u00f3n html.Parse en golang.org/x/net/html tiene un bucle de an\u00e1lisis infinito al procesar ciertas entradas, lo que puede llevar a una denegaci\u00f3n de servicio (DoS) si un atacante proporciona contenido HTML especialmente dise\u00f1ado."}], "lastModified": "2026-02-18T17:46:35.163", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:go:html:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "376264FC-D0BB-4AAD-B6DE-127D83F3070A", "versionEndExcluding": "0.45.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}