CVSS Score: 5.3 Published: 2026-02-12 Full Report: https://cvereports.com/reports/CVE-2025-47911
In the world of safe memory languages, we often forget that algorithmic complexity is a vulnerability class of its own. CVE-2025-47911 serves as a stark reminder: you don't need a buffer overflow to kill a server; you just need a really annoying HTML table. This vulnerability affects the golang.org/x/net/html package—the de facto standard for HTML parsing in the Go ecosystem—allowing attackers to trigger quadratic time complexity ($O(n^2)$) during the parsing of specially crafted inputs.
The Go HTML parser (x/net/html) contains a quadratic complexity bug in its tree construction logic. An attacker can send a malicious HTML payload (like deeply nested or malformed tags) that causes the parser to consume excessive CPU resources, effectively hanging the application. Fix: Upgrade golang.org/x/net to v0.45.0.
- CWE ID: CWE-400 (Uncontrolled Resource Consumption)
- Attack Vector: Network
- CVSS v3.1: 5.3 (Medium)
- Impact: Denial of Service (CPU Exhaustion)
- Patch: golang.org/x/net v0.45.0
- Exploit Status: PoC Available (Trivial to construct)
- Grafana
- Helm
- Podman
- Echo Web Framework
- Kubernetes Controllers (using html templates)
- Email Sanitizers (using x/net/html)
- golang.org/x/net: < v0.45.0 (Fixed in:
v0.45.0)
- Input Size Limiting
- Dependency Updates
- Resource Quotas (CPU limits)
Remediation Steps:
- Run
govulncheck ./...to verify exposure. - Execute
go get golang.org/x/net@v0.45.0to update the library. - Run
go mod tidyto clean up dependencies. - Recompile and redeploy the application.
Generated by CVEReports - Automated Vulnerability Intelligence