reports/GO-2021-0078.yaml

module: golang.org/x/net
package: golang.org/x/net/html
versions:
  - fixed: v0.0.0-20180816102801-aaf60122140d
description: |
  The HTML parser does not properly handle "in frameset" insertion mode, and can be made
  to panic when operating on malformed HTML that contains <template> tags. If operating
  on user input, this may be a vector for a denial of service attack.
cves:
  - CVE-2018-17075
credit: Kunpei Sakai
symbols:
  - inBodyIM
  - inFramesetIM
links:
  pr: https://go-review.googlesource.com/123776
  commit: https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50
  context:
    - https://go.dev/issue/27016
    - https://bugs.chromium.org/p/chromium/issues/detail?id=829668
    - https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906