2437110 – (CVE-2025-58190) CVE-2025-58190 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net

Bug 2437110 (CVE-2025-58190) - CVE-2025-58190 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net

Summary: CVE-2025-58190 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net

Keywords:
Status:	NEW
Alias:	CVE-2025-58190
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2437454 2437455
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-05 18:01 UTC by OSIDB Bzimport
Modified:	2026-02-06 23:10 UTC (History)
CC List:	89 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-05 18:01:49 UTC

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
adistefa
akoudelk
alcohan
alizardo
anjoseph
anpicker
anthomas
bparees
ckandaga
cmah
crizzo
dhanak
drosa
dschmidt
dsimansk
dymurray
ebaron
eglynn
ehelms
erezende
ggainey
gparvin
hasun
ibolton
jbalunas
jcantril
jchui
jfula
jhe
jjoyce
jkoehler
jmatthew
jmontleo
jowilson
jprabhak
jschluet
juwatts
kingland
kshier
ktsao
kverlaen
lball
lbragsta
lgamliel
lhh
lphiri
manissin
mattdavi
matzew
mburns
mgarciac
mhulan
mnovotny
mwringe
nboldt
ngough
nmoumoul
nyancey
ometelka
osousa
pahickey
pcreech
pgaikwad
psrna
ptisnovs
pvasanth
rchan
rfreiman
rhaigner
rjohnson
rojacob
sausingh
sdawley
slucidi
smallamp
smcdonal
sseago
stcannon
syedriko
teagle
tmalecek
veshanka
wenshen
whayutin
wtam
xdharmai
xiyuan
yguenane