CVE-2018-17075
Description
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of , , or . This is related to HTMLTreeBuilder.cpp in WebKit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go x/net/html before 2018-07-13 panics when parsing HTML containing , , or due to mishandled 'in frameset' insertion mode.
Vulnerability
The golang.org/x/net/html package (specifically the HTML parser) before the 2018-07-13 commit mishandles the "in frameset" insertion mode when processing HTML input. The parser’s inTemplateIM() function does not correctly handle certain token types that are encountered when parsing malformed HTML. This leads to a nil pointer dereference and a panic: runtime error when html.Parse is called on inputs such as `, , or ` [1][3][4]. All versions prior to the fix are affected.
Exploitation
An attacker can trigger the panic by supplying a crafted HTML document containing one of the problematic sequences (e.g., `) to any application that parses user-provided HTML with the vulnerable x/net/html package. No special network position or authentication is required; the attacker only needs the ability to deliver the malicious HTML input (e.g., via a web form, API call, or file upload) [3][4]. The crash occurs deterministically during the call to html.Parse`.
Impact
Successful exploitation causes a denial of service (DoS) by crashing the Go application process with an unhandled panic. The impact is limited to availability; there is no evidence of information disclosure or remote code execution [1][3][4].
Mitigation
A fix was merged into the upstream golang.org/x/net repository on 2018-07-13 [1]. Users should update to the latest revision of the x/net module (post-2018-07-13) or vendor the fix. As of the CVE publication date (2018-09-16), no formal workaround exists other than updating. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.0.0-20180816102801-aaf60122140d | 0.0.0-20180816102801-aaf60122140d |
Affected products
1Patches
1aaf60122140dhtml: remove special procedure for <template> in frameset im
2 files changed · +2 −19
html/parse.go+1 −12 modified@@ -1071,13 +1071,7 @@ func inBodyIM(p *parser) bool { p.acknowledgeSelfClosingTag() } return true - case a.Frame: - // TODO: remove this divergence from the HTML5 spec. - if p.oe.contains(a.Template) { - p.addElement() - return true - } - case a.Caption, a.Col, a.Colgroup, a.Head, a.Tbody, a.Td, a.Tfoot, a.Th, a.Thead, a.Tr: + case a.Caption, a.Col, a.Colgroup, a.Frame, a.Head, a.Tbody, a.Td, a.Tfoot, a.Th, a.Thead, a.Tr: // Ignore the token. default: p.reconstructActiveFormattingElements() @@ -1925,11 +1919,6 @@ func inFramesetIM(p *parser) bool { p.acknowledgeSelfClosingTag() case a.Noframes: return inHeadIM(p) - case a.Template: - // TODO: remove this divergence from the HTML5 spec. - // - // See https://bugs.chromium.org/p/chromium/issues/detail?id=829668 - return inTemplateIM(p) } case EndTagToken: switch p.tok.DataAtom {
html/testdata/webkit/template.dat+1 −7 modified@@ -477,9 +477,7 @@ | <html> | <head> | <frameset> -| <template> -| content -| <frame> +| <frame> #data <template><frame></frame></frameset><frame></frame></template> @@ -489,8 +487,6 @@ | <head> | <template> | content -| <frame> -| <frame> | <body> #data @@ -823,8 +819,6 @@ | <head> | <template> | content -| <frame> -| <frame> | <body> #data
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-5p4h-3377-7w67ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-17075ghsaADVISORY
- bugs.chromium.org/p/chromium/issues/detailghsax_refsource_MISCWEB
- github.com/golang/go/issues/27016ghsax_refsource_MISCWEB
- github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50ghsax_refsource_MISCWEB
- go-review.googlesource.com/c/net/+/94838/9/html/parse.goghsaWEB
- go.dev/cl/123776ghsaWEB
- go.dev/issue/27016ghsaWEB
- go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHONghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBKghsaWEB
- pkg.go.dev/vuln/GO-2021-0078ghsaWEB
News mentions
0No linked articles in our index yet.