Vulnerability Report: GO-2025-3595

CVE-2025-22872
Affects: golang.org/x/net
Published: Apr 16, 2025

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

Affected Packages

Path

Versions

Symbols
golang.org/x/net/html

before v0.38.0
5 affected symbols

Aliases

CVE-2025-22872

References

https://go.dev/cl/662715
https://go.dev/issue/73070
https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
https://vuln.go.dev/ID/GO-2025-3595.json

Credits

Sean Ng (https://ensy.zip)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL