Death by a Thousand Tags: The Quadratic HTML DoS in Go
Vulnerability ID: CVE-2025-47911
CVSS Score: 5.3
Published: 2026-02-12
In the world of safe memory languages, we often forget that algorithmic complexity is a vulnerability class of its own. CVE-2025-47911 serves as a stark reminder: you don't need a buffer overflow to kill a server; you just need a really annoying HTML table. This vulnerability affects the golang.org/x/net/html package—the de facto standard for HTML parsing in the Go ecosystem—allowing attackers to trigger quadratic time complexity ($O(n^2)$) during the parsing of specially crafted inputs.
TL;DR
The Go HTML parser (x/net/html) contains a quadratic complexity bug in its tree construction logic. An attacker can send a malicious HTML payload (like deeply nested or malformed tags) that causes the parser to consume excessive CPU resources, effectively hanging the application. Fix: Upgrade golang.org/x/net to v0.45.0.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400 (Uncontrolled Resource Consumption)
- Attack Vector: Network
- CVSS v3.1: 5.3 (Medium)
- Impact: Denial of Service (CPU Exhaustion)
- Patch: golang.org/x/net v0.45.0
- Exploit Status: PoC Available (Trivial to construct)
Affected Systems
- Grafana
- Helm
- Podman
- Echo Web Framework
- Kubernetes Controllers (using html templates)
- Email Sanitizers (using x/net/html)
-
golang.org/x/net: < v0.45.0 (Fixed in:
v0.45.0)
Code Analysis
Commit: 709876
html: limit work in Parse
Code diff unavailable via context, but implements iteration limits in tree construction.
Mitigation Strategies
- Input Size Limiting
- Dependency Updates
- Resource Quotas (CPU limits)
Remediation Steps:
- Run
govulncheck ./...to verify exposure. - Execute
go get golang.org/x/net@v0.45.0to update the library. - Run
go mod tidyto clean up dependencies. - Recompile and redeploy the application.
Read the full report for CVE-2025-47911 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)