blob: 3780563e09d67145f5b4eb9a6ef40bee0ff78a11 [file] [log] [blame]
id: GO-2021-0238
modules:
- module: golang.org/x/net
versions:
- fixed: 0.0.0-20210520170846-37e1c6afe023
vulnerable_at: 0.0.0-20210510120150-4163338589ed
packages:
- package: golang.org/x/net/html
symbols:
- inHeadIM
derived_symbols:
- Parse
- ParseFragment
- ParseFragmentWithOptions
- ParseWithOptions
summary: Infinite loop when parsing inputs in golang.org/x/net/html
description: |-
An attacker can craft an input to ParseFragment that causes it to enter an
infinite loop and never return.
published: 2022-02-17T17:33:43Z
cves:
- CVE-2021-33194
ghsas:
- GHSA-83g2-8m93-v3w7
credits:
- OSS-Fuzz (discovery)
- Andrew Thornton (reporter)
references:
- fix: https://go.dev/cl/311090
- fix: https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7
- report: https://go.dev/issue/46288
- web: https://groups.google.com/g/golang-announce/c/wPunbCPkWUg
review_status: REVIEWED