CVE-2025-22872
Aliases:GHSA-vvgc-356p-c3xwGO-2025-3595
Advisory lineage Upstream: 0 Downstream: 63
Deferred
Published: 16 Apr 2025, 17:13
Last modified:16 May 2025, 23:03
Vulnerability Summary
Overall Risk (default)
medium
26/100 CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.02% LOW
0% probability -0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Apr 2025, 17:13
Published
Vulnerability first disclosed
16 May 2025, 23:03
Last Modified
Vulnerability information updated
Description
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
CVSS Metrics
- v4.0•MEDIUM•Score: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS Trends
Current EPSS score: 0.02%• Percentile: 4%
Affected Systems
- golang.org/x•net
< 0.38.0
- golang.org/x/net•golang.org/x/net/html
< 0.38.0
References (7)
- https://go.dev/cl/662715
- https://go.dev/issue/73070
- https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
- https://pkg.go.dev/vuln/GO-2025-3595
- https://security.netapp.com/advisory/ntap-20250516-0007/
- https://nvd.nist.gov/vuln/detail/CVE-2025-22872
- https://security.netapp.com/advisory/ntap-20250516-0007