CVE-2018-17848
Description
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go's x/net/html package panics on crafted HTML input, causing denial of service via index-out-of-range error in node stack pop.
Vulnerability
The golang.org/x/net/html package before commit 5e0e0f15960b (released 2018-10-17) mishandles input like ` or during HTML parsing. This triggers an index-out-of-range panic in the (*insertionModeStack).pop method in node.go, called from inHeadIM`. The issue affects all versions up to and including the package as of 2018-09-25 [1][2].
Exploitation
An attacker can exploit this by providing a crafted HTML document to a Go application that parses HTML using html.Parse. No authentication, special privileges, or user interaction is required beyond the parsing of the malicious input. The attack vector is network-based, e.g., via uploading or serving a crafted HTML file. The panic occurs immediately during parsing [2][3].
Impact
Successful exploitation results in a panic (runtime error) that crashes the Go process, leading to a denial of service. There is no evidence of code execution or memory corruption beyond the slice bounds error. The impact is limited to availability [1][4].
Mitigation
The vulnerability is fixed in golang.org/x/net version 0.0.0-20181017171733-5e0e0f15960b (commit 5e0e0f15960b) and later, which is included in Go 1.11. Users should update their x/net/html dependency to a version after that commit. If updating is not possible, avoid parsing untrusted HTML input with the affected package [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.0.0-20190125002852-4b62a64f59f7 | 0.0.0-20190125002852-4b62a64f59f7 |
Affected products
3- osv-coords3 versions
< 0.1.4-r3+ 2 more
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 0.0.0-20190125002852-4b62a64f59f7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-mv93-wvcp-7m7rghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-17848ghsaADVISORY
- github.com/golang/go/issues/27846ghsax_refsource_MISCWEB
- go.dev/cl/159397ghsaWEB
- go.dev/issue/27846ghsaWEB
- go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2cghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHONghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBKghsaWEB
- pkg.go.dev/vuln/GO-2022-0197ghsaWEB
News mentions
0No linked articles in our index yet.