GO-2025-3595

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-3595

Import Source

https://vuln.go.dev/ID/GO-2025-3595.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2025-3595

Aliases

Published

2025-04-16T16:54:55Z

Modified

2025-04-16T19:41:48.559543Z

Summary

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2025-3595"
}

References

Credits

- Sean Ng (https://ensy.zip)

Affected packages

Go / golang.org/x/net

Package

Name: golang.org/x/net; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/net

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.38.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/net/html",
            "symbols": [
                "Parse",
                "ParseFragment",
                "ParseFragmentWithOptions",
                "ParseWithOptions",
                "Tokenizer.Next",
                "Tokenizer.readStartTag"
            ]
        }
    ]
}