CVE-2018-17847
Description
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go's x/net/html parser panics on crafted SVG/template nesting due to an out-of-bounds stack pop, leading to denial of service.
Vulnerability
[1] states that the html package (x/net/html) through version 2018-09-25 mishandles the crafted HTML `. The parser enters an inconsistent state when processing foreign content, causing an index out-of-range panic in (*nodeStack).pop called from (*parser).clearActiveFormattingElements in node.go and parse.go [2][3]. Affected are all versions of golang.org/x/net/html` up to and including the commit from 2018-09-25. No specific configuration is required; any program that parses arbitrary HTML using this package is vulnerable.
Exploitation
An attacker can supply the malformed HTML as input to any application that parses HTML using the vulnerable package. No authentication or special network position is needed—simply feeding the string to html.Parse triggers the panic [2]. The proof-of-concept code provided in the issue reproduces the crash deterministically [3].
Impact
A remote attacker can cause a denial of service (panic) in the application, potentially crashing the process. The vulnerability does not allow code execution or information disclosure; it is strictly a denial-of-service condition. The panic originates from the parser's internal stack management, leading to runtime termination.
Mitigation
The vulnerability is fixed in later versions of golang.org/x/net/html. Users should update to the latest version of the package (after 2018-09-25). According to reference [4], the issue is tracked as GO-2022-0197 and is resolved by updating to a version containing the fix. No workaround is available aside from avoiding untrusted HTML parsing or applying a patch.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.0.0-20190125002852-4b62a64f59f7 | 0.0.0-20190125002852-4b62a64f59f7 |
Affected products
3- osv-coords3 versions
< 0.1.4-r3+ 2 more
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 0.0.0-20190125002852-4b62a64f59f7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-4r78-hx75-jjj2ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-17847ghsaADVISORY
- github.com/golang/go/issues/27846ghsax_refsource_MISCWEB
- go.dev/cl/159397ghsaWEB
- go.dev/issue/27846ghsaWEB
- go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2cghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHONghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBKghsaWEB
- pkg.go.dev/vuln/GO-2022-0197ghsaWEB
News mentions
0No linked articles in our index yet.