| id: GO-2022-0197 |
| modules: |
| - module: golang.org/x/net |
| versions: |
| - fixed: 0.0.0-20190125002852-4b62a64f59f7 |
| vulnerable_at: 0.0.0-20190119204137-ed066c81e75e |
| packages: |
| - package: golang.org/x/net/html |
| symbols: |
| - nodeStack.contains |
| derived_symbols: |
| - Parse |
| - ParseFragment |
| summary: Panic when parsing certain inputs in golang.org/x/net/html |
| description: |- |
| The Parse function can panic on some invalid inputs. |
| |
| For example, the Parse function panics on the input |
| "<svg><template><desc><t><svg></template>". |
| published: 2022-07-01T20:15:19Z |
| cves: |
| - CVE-2018-17847 |
| - CVE-2018-17848 |
| ghsas: |
| - GHSA-4r78-hx75-jjj2 |
| - GHSA-mv93-wvcp-7m7r |
| credits: |
| - '@tr3ee' |
| references: |
| - fix: https://go.dev/cl/159397 |
| - fix: https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c |
| - report: https://go.dev/issue/27846 |
| review_status: REVIEWED |