Quadratic parsing complexity in golang.org/x/net/html

Vulnerability

Analysis

The html.Parse function in the golang.org/x/net/html package exhibits quadratic parsing complexity when handling certain inputs [1]. This means the processing time can grow disproportionately compared to the input size, potentially causing slow execution or denial of service [1][4]. The root cause lies in the HTML specification's algorithms, which inherently contain quadratic complexity aspects [4].

Exploitation and

Impact

An attacker can exploit this by providing a specially crafted HTML document to an application that parses untrusted HTML content [4]. The parser's processing time will scale non-linearly with input size, leading to excessive resource consumption and eventual denial of service [1][4]. No authentication is required if the application accepts external input, making this exploitable across network boundaries where HTML parsing occurs.

Mitigation

The vulnerability is patched in version v0.45.0 of golang.org/x/net [4]. The fix imposes a depth limit of 512 on nested HTML tags, which should be sufficient for most valid documents [4]. Affected programs should update to the patched version to mitigate the DoS risk. There is no evidence that this vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publication.