Go modules package
golang.org/x/net
pkg:golang/golang.org/x/net
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-22872 | Med | 6.5 | < 0.38.0 | 0.38.0 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-22870 | Med | 4.4 | < 0.36.0 | 0.36.0 | Mar 12, 2025 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |
| CVE-2023-45288 | Hig | 7.5 | < 0.23.0 | 0.23.0 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2023-39325 | — | < 0.17.0 | 0.17.0 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 0.17.0 | 0.17.0 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-3978 | — | < 0.13.0 | 0.13.0 | Aug 2, 2023 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | ||
| CVE-2022-41723 | — | < 0.7.0 | 0.7.0 | Feb 28, 2023 | A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. | ||
| CVE-2022-41721 | — | >= 0.0.0-20220524220425-1d687d428aca, < 0.1.1-0.20221104162952-702349b0e862 | 0.1.1-0.20221104162952-702349b0e862 | Jan 13, 2023 | A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which coul | ||
| CVE-2022-41717 | — | < 0.4.0 | 0.4.0 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-27664 | — | < 0.0.0-20220906165146-f3363e06e74c | 0.0.0-20220906165146-f3363e06e74c | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2021-31525 | — | < 0.0.0-20210428140749-89ef3d95e781 | 0.0.0-20210428140749-89ef3d95e781 | May 27, 2021 | net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. | ||
| CVE-2021-33194 | — | < 0.0.0-20210520170846-37e1c6afe023 | 0.0.0-20210520170846-37e1c6afe023 | May 26, 2021 | golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. | ||
| CVE-2019-9512 | — | < 0.0.0-20190813141303-74dc4d7220e7 | 0.0.0-20190813141303-74dc4d7220e7 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum | ||
| CVE-2019-9514 | — | < 0.0.0-20190813141303-74dc4d7220e7 | 0.0.0-20190813141303-74dc4d7220e7 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer | ||
| CVE-2018-17848 | — | < 0.0.0-20190125002852-4b62a64f59f7 | 0.0.0-20190125002852-4b62a64f59f7 | Oct 1, 2018 | The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call. | ||
| CVE-2018-17847 | — | < 0.0.0-20190125002852-4b62a64f59f7 | 0.0.0-20190125002852-4b62a64f59f7 | Oct 1, 2018 | The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call. | ||
| CVE-2018-17846 | — | < 0.0.0-20190125091013-d26f9f9a57f3 | 0.0.0-20190125091013-d26f9f9a57f3 | Oct 1, 2018 | The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification. | ||
| CVE-2018-17143 | — | < 0.0.0-20180921000356-2f5d2388922f | 0.0.0-20180921000356-2f5d2388922f | Sep 17, 2018 | The html package (aka x/net/html) through 2018-09-17 in Go mishandles <isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call. | ||
| CVE-2018-17142 | — | < 0.0.0-20180925071336-cf3bd585ca2a | 0.0.0-20180925071336-cf3bd585ca2a | Sep 17, 2018 | The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call. | ||
| CVE-2018-17075 | — | < 0.0.0-20180816102801-aaf60122140d | 0.0.0-20180816102801-aaf60122140d | Sep 16, 2018 | The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of , , or . This is related to HTMLTreeBuilder.cpp in WebKit. |
- affected < 0.38.0fixed 0.38.0
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 0.36.0fixed 0.36.0
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- affected < 0.23.0fixed 0.23.0
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- CVE-2023-39325Oct 11, 2023affected < 0.17.0fixed 0.17.0
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 0.17.0fixed 0.17.0
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-3978Aug 2, 2023affected < 0.13.0fixed 0.13.0
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
- CVE-2022-41723Feb 28, 2023affected < 0.7.0fixed 0.7.0
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
- CVE-2022-41721Jan 13, 2023affected >= 0.0.0-20220524220425-1d687d428aca, < 0.1.1-0.20221104162952-702349b0e862fixed 0.1.1-0.20221104162952-702349b0e862
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which coul
- CVE-2022-41717Dec 8, 2022affected < 0.4.0fixed 0.4.0
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-27664Sep 6, 2022affected < 0.0.0-20220906165146-f3363e06e74cfixed 0.0.0-20220906165146-f3363e06e74c
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2021-31525May 27, 2021affected < 0.0.0-20210428140749-89ef3d95e781fixed 0.0.0-20210428140749-89ef3d95e781
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
- CVE-2021-33194May 26, 2021affected < 0.0.0-20210520170846-37e1c6afe023fixed 0.0.0-20210520170846-37e1c6afe023
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
- CVE-2019-9512Aug 13, 2019affected < 0.0.0-20190813141303-74dc4d7220e7fixed 0.0.0-20190813141303-74dc4d7220e7
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum
- CVE-2019-9514Aug 13, 2019affected < 0.0.0-20190813141303-74dc4d7220e7fixed 0.0.0-20190813141303-74dc4d7220e7
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer
- CVE-2018-17848Oct 1, 2018affected < 0.0.0-20190125002852-4b62a64f59f7fixed 0.0.0-20190125002852-4b62a64f59f7
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
- CVE-2018-17847Oct 1, 2018affected < 0.0.0-20190125002852-4b62a64f59f7fixed 0.0.0-20190125002852-4b62a64f59f7
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
- CVE-2018-17846Oct 1, 2018affected < 0.0.0-20190125091013-d26f9f9a57f3fixed 0.0.0-20190125091013-d26f9f9a57f3
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.
- CVE-2018-17143Sep 17, 2018affected < 0.0.0-20180921000356-2f5d2388922ffixed 0.0.0-20180921000356-2f5d2388922f
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
- CVE-2018-17142Sep 17, 2018affected < 0.0.0-20180925071336-cf3bd585ca2afixed 0.0.0-20180925071336-cf3bd585ca2a
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.
- CVE-2018-17075Sep 16, 2018affected < 0.0.0-20180816102801-aaf60122140dfixed 0.0.0-20180816102801-aaf60122140d
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of , , or . This is related to HTMLTreeBuilder.cpp in WebKit.