CVE-2025-58190 Overview
CVE-2025-58190 is a denial-of-service vulnerability in the html.Parse function within the golang.org/x/net/html package. The function enters an infinite parsing loop when processing specially crafted HTML inputs. An attacker who can supply HTML content to an affected Go application can trigger sustained CPU consumption, blocking the parsing goroutine and degrading service availability.
The issue is tracked by the Go vulnerability database as GO-2026-4441 and is classified under CWE-835 (Loop with Unreachable Exit Condition). The vulnerability is network-exploitable, requires no privileges, and needs no user interaction.
Critical Impact
Remote attackers can trigger an infinite loop in html.Parse, causing CPU exhaustion and denial of service in any Go service that parses untrusted HTML input.
Affected Products
- golang.org/x/net/html package (Go supplementary networking libraries)
- Go applications that invoke html.Parse on untrusted input
- Downstream libraries and services depending on vulnerable x/net/html versions
Discovery Timeline
- 2026-02-05 - CVE-2025-58190 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-58190
Vulnerability Analysis
The html.Parse function tokenizes and constructs a parse tree from HTML input following the WHATWG HTML parsing algorithm. When processing certain malformed token sequences, the parser fails to make forward progress and re-enters the same state indefinitely. The result is a non-terminating loop that consumes a CPU core for as long as the parsing call runs.
Because Go HTTP handlers and content processing pipelines frequently delegate to html.Parse for sanitization, scraping, feed processing, or templating, a single malicious request can occupy a worker goroutine permanently. Repeated requests rapidly exhaust available CPU and goroutine resources, producing a denial-of-service condition. The flaw does not allow memory disclosure, integrity violation, or code execution.
Root Cause
The root cause is a loop termination defect in the HTML tokenizer/tree-construction state machine. Specific input sequences cause the parser to oscillate between states without advancing the input position or reaching an end-of-input condition. This matches the CWE-835 pattern of a loop with an unreachable exit condition. The official fix is delivered in Go.dev Change List #709875.
Attack Vector
Exploitation requires only the ability to deliver HTML content to a Go application that calls html.Parse. Typical delivery paths include HTTP request bodies, uploaded documents, RSS or Atom feed fetches, webhook payloads, and HTML email processing. The attacker submits a crafted HTML payload that exercises the vulnerable parser state. The handling goroutine then loops without returning, and concurrent requests amplify the impact until the host becomes unresponsive. No authentication, privileges, or user interaction are required. See the Go.dev Vulnerability Advisory GO-2026-4441 and GitHub Vulnerability Issue #4441 for upstream technical details.
Detection Methods for CVE-2025-58190
Indicators of Compromise
- Sustained 100% CPU utilization on one or more goroutines within a Go process that parses HTML
- Increasing request latency or timeouts on endpoints that accept HTML, RSS, or scraped content
- Goroutine stack traces showing long-running frames inside golang.org/x/net/html parser functions
- Repeated incoming requests carrying anomalous or malformed HTML payloads from a small set of source IPs
Detection Strategies
- Run govulncheck against application binaries and source trees to identify imports of vulnerable golang.org/x/net/html versions.
- Inspect dependency manifests (go.mod, go.sum) for golang.org/x/net versions predating the fix in CL 709875.
- Capture periodic goroutine profiles via net/http/pprof and alert when goroutines remain in html parser frames beyond an expected upper bound.
- Correlate spikes in process CPU time with HTTP request logs to identify payloads that trigger the loop.
Monitoring Recommendations
- Alert on per-request CPU time or wall-clock duration exceeding a defined threshold for endpoints that invoke html.Parse.
- Track goroutine counts and runtime scheduler metrics, flagging unbounded growth without corresponding request completion.
- Log and rate-limit clients submitting unusually large or malformed HTML bodies to parsing endpoints.
How to Mitigate CVE-2025-58190
Immediate Actions Required
- Upgrade golang.org/x/net to the patched release referenced in GO-2026-4441 and rebuild affected binaries.
- Run govulncheck ./... across all Go services to enumerate call sites that reach the vulnerable html.Parse code path.
- Wrap html.Parse invocations on untrusted input with a context.Context deadline or goroutine timeout to bound execution time.
- Apply request size limits and input validation in front of any handler that parses HTML from external sources.
Patch Information
The upstream fix is published as Go.dev Change List #709875 and announced via the Google Group Announcement. Update the golang.org/x/net module to the fixed version listed in the Go.dev Vulnerability Advisory GO-2026-4441, then run go mod tidy and redeploy.
Workarounds
- Execute html.Parse in a separate goroutine guarded by a timeout and abort the parse if it exceeds a safe limit.
- Reject HTML inputs above a conservative byte threshold before invoking the parser.
- Restrict access to HTML-processing endpoints behind authentication and per-client rate limits until patching is complete.
# Update the vulnerable module to the patched version
go get golang.org/x/net@latest
go mod tidy
# Verify no remaining vulnerable call paths
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
