Headline
CVE-2021-33194: [security] Vulnerability in golang.org/x/net/html
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Filippo Valsorda
unread,
May 20, 2021, 7:24:58 PM5/20/21
to golang-nuts, golang-…@googlegroups.com, golang-dev
Hello gophers,
Version v0.0.0-20210520170846-37e1c6afe023 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service.
An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return.
This issue was discovered by OSS-Fuzz and reported to us by Andrew Thornton <ar…@cantab.net>, and is tracked as CVE-2021-33194.
Cheers,
Filippo on behalf of the Go team