data/reports: add GO-2025-3595
- data/reports/GO-2025-3595.yaml
Fixes golang/vulndb#3595
Change-Id: I82e42a91df6f53dea93e9621e5f1381ea7460766
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/664535
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/data/cve/v5/GO-2025-3595.json b/data/cve/v5/GO-2025-3595.json
new file mode 100644
index 0000000..59ef22e
--- /dev/null
+++ b/data/cve/v5/GO-2025-3595.json
@@ -0,0 +1,88 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2025-22872"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "title": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts)."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "golang.org/x/net",
+ "product": "golang.org/x/net/html",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "golang.org/x/net/html",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.38.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Tokenizer.readStartTag"
+ },
+ {
+ "name": "Parse"
+ },
+ {
+ "name": "ParseFragment"
+ },
+ {
+ "name": "ParseFragmentWithOptions"
+ },
+ {
+ "name": "ParseWithOptions"
+ },
+ {
+ "name": "Tokenizer.Next"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-79"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/662715"
+ },
+ {
+ "url": "https://go.dev/issue/73070"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3595"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Sean Ng (https://ensy.zip)"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3595.json b/data/osv/GO-2025-3595.json
new file mode 100644
index 0000000..9968997
--- /dev/null
+++ b/data/osv/GO-2025-3595.json
@@ -0,0 +1,70 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3595",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-22872"
+ ],
+ "summary": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net",
+ "details": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
+ "affected": [
+ {
+ "package": {
+ "name": "golang.org/x/net",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.38.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "golang.org/x/net/html",
+ "symbols": [
+ "Parse",
+ "ParseFragment",
+ "ParseFragmentWithOptions",
+ "ParseWithOptions",
+ "Tokenizer.Next",
+ "Tokenizer.readStartTag"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/662715"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://go.dev/issue/73070"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA"
+ }
+ ],
+ "credits": [
+ {
+ "name": "Sean Ng (https://ensy.zip)"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3595",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3595.yaml b/data/reports/GO-2025-3595.yaml
new file mode 100644
index 0000000..3e03469
--- /dev/null
+++ b/data/reports/GO-2025-3595.yaml
@@ -0,0 +1,39 @@
+id: GO-2025-3595
+modules:
+ - module: golang.org/x/net
+ versions:
+ - fixed: 0.38.0
+ vulnerable_at: 0.37.0
+ packages:
+ - package: golang.org/x/net/html
+ symbols:
+ - Tokenizer.readStartTag
+ derived_symbols:
+ - Parse
+ - ParseFragment
+ - ParseFragmentWithOptions
+ - ParseWithOptions
+ - Tokenizer.Next
+summary: |-
+ Incorrect Neutralization of Input During Web Page Generation in x/net in
+ golang.org/x/net
+description: |-
+ The tokenizer incorrectly interprets tags with unquoted attribute values that
+ end with a solidus character (/) as self-closing. When directly using Tokenizer,
+ this can result in such tags incorrectly being marked as self-closing, and when
+ using the Parse functions, this can result in content following such tags as
+ being placed in the wrong scope during DOM construction, but only when tags are
+ in foreign content (e.g. <math>, <svg>, etc contexts).
+credits:
+ - Sean Ng (https://ensy.zip)
+references:
+ - fix: https://go.dev/cl/662715
+ - report: https://go.dev/issue/73070
+ - web: https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
+cve_metadata:
+ id: CVE-2025-22872
+ cwe: CWE-79
+source:
+ id: go-security-team
+ created: 2025-04-10T12:43:28.919502-04:00
+review_status: REVIEWED
