CVE-2025-47911: Go html.Parse DoS Vulnerability

CVE-2025-47911 Overview

The html.Parse function in golang.org/x/net/html contains a quadratic parsing complexity vulnerability that can be exploited to cause denial of service (DoS). When processing certain specially crafted HTML inputs, the parser exhibits O(n²) time complexity, allowing an attacker to consume excessive CPU resources and potentially render applications unresponsive.

Critical Impact

Applications using the Go HTML parser to process untrusted HTML content are vulnerable to algorithmic complexity attacks that can exhaust server resources and cause service disruptions.

Affected Products

• golang.org/x/net/html package (Go HTML parsing library)
• Go applications utilizing the html.Parse function for HTML processing
• Web services and content processing pipelines handling untrusted HTML input

Discovery Timeline

• 2026-02-05 - CVE CVE-2025-47911 published to NVD
• 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2025-47911

Vulnerability Analysis

This vulnerability represents an algorithmic complexity attack affecting the HTML parsing functionality in Go's extended networking library. The html.Parse function, which is widely used for parsing HTML documents in Go applications, exhibits quadratic time complexity (O(n²)) when processing certain malformed or adversarial HTML structures.

The performance degradation becomes particularly severe when parsing HTML with deeply nested or repeated elements that trigger worst-case behavior in the parsing algorithm. An attacker can craft relatively small HTML payloads that require disproportionately large amounts of CPU time to process, effectively creating an asymmetric attack where minimal attacker effort results in significant resource consumption on the target system.

This type of vulnerability is especially dangerous in web applications and API services that accept HTML input from untrusted sources, such as content management systems, HTML sanitizers, email processors, or web scrapers.

Root Cause

The root cause lies in the algorithmic implementation of the HTML parser's handling of certain input patterns. Specific HTML constructs cause the parser to perform nested iterations over the input data, resulting in quadratic time complexity rather than the expected linear time complexity for well-formed input. This inefficient handling of edge cases creates an exploitable condition where carefully constructed input dramatically increases processing time.

Attack Vector

An attacker can exploit this vulnerability by submitting specially crafted HTML content to any application endpoint that processes HTML using the vulnerable golang.org/x/net/html package. The attack requires no authentication and can be performed remotely over the network. The attacker crafts HTML input designed to trigger the worst-case parsing behavior, causing the server to spend excessive CPU cycles processing the malicious payload.

Attack scenarios include:

• Submitting malicious HTML through form inputs or API endpoints
• Sending crafted HTML in HTTP request bodies
• Embedding malicious HTML in data feeds consumed by vulnerable applications
• Targeting HTML processing pipelines in content aggregation services

The vulnerability mechanism involves quadratic parsing complexity in the html.Parse function. When the parser encounters certain HTML structures, it performs operations that scale with the square of the input size, allowing small payloads to cause significant processing delays. For detailed technical analysis, refer to the Go.dev Vulnerability GO-2026-4440 and the associated GitHub Issue #4440.

Detection Methods for CVE-2025-47911

Indicators of Compromise

• Unusual spikes in CPU utilization on servers processing HTML content
• Extended response times or timeouts on HTML processing endpoints
• Application logs showing prolonged execution in HTML parsing functions
• Memory and goroutine accumulation in Go applications under load

Detection Strategies

• Monitor CPU utilization patterns for sustained high usage during HTML processing operations
• Implement request timeout thresholds for endpoints that parse HTML content
• Deploy application performance monitoring (APM) to track html.Parse function execution times
• Analyze incoming request sizes and processing time ratios to identify anomalous patterns

Monitoring Recommendations

• Configure alerting for CPU usage exceeding normal thresholds on HTML processing services
• Track and baseline typical HTML parsing duration to identify deviations
• Implement logging for HTML input sizes and corresponding processing times
• Monitor for repeated requests from single sources containing HTML payloads

How to Mitigate CVE-2025-47911

Immediate Actions Required

• Identify all applications using golang.org/x/net/html for HTML parsing
• Update to the patched version of the golang.org/x/net package as referenced in Go.dev Code Review #709876
• Implement input size limits on endpoints accepting HTML content
• Add processing timeouts to prevent extended resource consumption

Patch Information

The Go security team has addressed this vulnerability in an updated release of the golang.org/x/net package. Organizations should update their dependencies to incorporate the fix. Review the Google Group Announcement for official patch guidance and version information.

To update the affected package, run:

go get -u golang.org/x/net/html

Workarounds

• Implement strict input size limits on HTML content before parsing
• Add context-based timeouts around html.Parse calls to prevent indefinite processing
• Consider pre-processing or validating HTML structure before full parsing
• Deploy rate limiting on endpoints that accept HTML input from untrusted sources

# Configuration example for implementing timeouts in Go applications
# Add context with timeout before HTML parsing operations
# Example: ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
# Ensure proper input size validation before passing to html.Parse
# Set maximum request body size in HTTP server configuration