Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in github.com/golang/net
CVE-2025-22872
- github.com/golang/net
- golang/net
- golang.org/x/net
Summary
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (`/`) as self-closing. When directly using `Tokenizer`, this can result in such tags incorrectly being marked as self-closing, and when using the `Parse` functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. `<math>`, `<svg>`, etc contexts). This issue affects golang.org/x/net versions prior to 0.38.0.
- HIGH
- NETWORK
- LOW
- CHANGED
- NONE
- NONE
- LOW
- LOW
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published
