Description
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Published: 2026-05-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parsing arbitrary HTML with golang.org/x/net/html can cause excessive CPU consumption, leading to a denial of service. The vulnerability is a resource exhaustion flaw and can be exploited by feeding specially crafted HTML that forces the parser to spend large amounts of time processing nested structures. The attack compromises availability while posing no threat to confidentiality or integrity.

Affected Systems

The flaw affects the Go networking library golang.org/x/net/html. No specific version range is listed, so any installation that relies on this package may be vulnerable unless a newer, fixed release is used. The library is typically embedded in Go applications that handle HTML content.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS value is not available and the vulnerability is not listed in CISA KEV. The vulnerability can be exploited by sending malicious HTML to any process that parses it, making it potentially usable by remote attackers if the application exposes such parsing functionality. Because the attack is a simple CPU‑time exhaustion, it requires only the ability to supply input; no additional privileges are needed. Defenses such as limiting input size, imposing timeouts, or performing preprocessing can mitigate the risk.

Generated by OpenCVE AI on May 22, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/net/html to a release that resolves excessive CPU usage, if one is available.
  • Sanitize or validate all external HTML before parsing to reject malformed or overly nested structures.
  • Configure application‑level resource quotas or timeouts around HTML parsing calls to prevent a single request from consuming disproportionate CPU cycles.

Generated by OpenCVE AI on May 22, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Title Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T17:00:35.395Z

Reserved: 2026-02-05T01:35:43.737Z

Link: CVE-2026-25680

cve-icon Vulnrichment

Updated: 2026-05-22T17:00:26.491Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T18:30:42Z

Weaknesses