SB2026031752 - Denial of service in Go Net

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2025-47911)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to algorithmic complexity in the html.Parse function when processing specially crafted HTML content. A remote attacker can trigger excessive CPU consumption and perform a denial of service (DoS) attack.

2) Infinite loop (CVE-ID: CVE-2025-58190)

The vulnerability allows remote attacker to cause a denial of service.

The vulnerability exists due to an infinite loop in the html.Parse function when processing specially crafted HTML content. A remote attacker can pass malicious input to the application and cause a denial of service.

Remediation

Install update from vendor's website.

References

• https://github.com/golang/vulndb/issues/4440
• https://go.dev/cl/709876
• https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
• https://pkg.go.dev/vuln/GO-2026-4440
• https://github.com/golang/vulndb/issues/4441
• https://go.dev/cl/709875
• https://pkg.go.dev/vuln/GO-2026-4441