CVE-2018-17143

Vulnerability

The html package (x/net/html) in Go through 2018-09-17 mishandles a malformed HTML fragment containing <isindex/action=0> [1][2]. When the html.Parse function processes this sequence, the parser transitions between insertion modes (inTableBodyIM -> inTableIM -> inBodyIM) and attempts to dereference a nil pointer in inBodyIM at parse.go:988 [2]. Affected versions include Go 1.10.3 and earlier releases [2].

Exploitation

An attacker can trigger the panic by supplying the specific HTML string <isindex/action=0> to any application that calls html.Parse on user-controlled input [2]. No authentication or special privileges are required; only the ability to submit crafted HTML to the parser [2]. The attack is a simple client-side data injection, such as posting a comment or sending data to a server-side form that parses HTML.

Impact

Successful exploitation causes a runtime panic, resulting in a denial of service (DoS). The application crashes with a segmentation violation (SIGSEGV) [2]. This can be used to disrupt availability of services that rely on the x/net/html package for HTML parsing [1][2]. The panic does not allow arbitrary code execution or information disclosure.

Mitigation

A fix was included in the x/net repository after the issue was reported (GitHub issue 27704) [2]. Users should update to a version of golang.org/x/net/html that contains the patch. The Go vulnerability database entry (GO-2022-0193) lists the affected package [4]. No workaround is available for unpatched versions; applications must either upgrade the module or filter inputs to prevent <isindex/action=0> sequences from reaching html.Parse.