Closed
Description
Advisory GHSA-vvgc-356p-c3xw references a vulnerability in the following Go modules:
| Module |
|---|
| golang.org/x/net |
Description:
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
References:
- ADVISORY: GHSA-vvgc-356p-c3xw
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-22872
- FIX: https://go.dev/cl/662715
- REPORT: https://go.dev/issue/73070
- WEB: https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
Cross references:
- golang.org/x/net appears in 18 other report(s):
- data/reports/GO-2020-0014.yaml (dummy issue #14)
- data/reports/GO-2021-0078.yaml (dummy issue #78)
- data/reports/GO-2021-0238.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2021-33194 #238)
- data/reports/GO-2022-0192.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2018-17142 #192)
- data/reports/GO-2022-0193.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2018-17143 #193)
- data/reports/GO-2022-0197.yaml (x/vulndb: potential Go vuln in "Go Standard Library (package not identified)": CVE-2018-17847 #197)
- data/reports/GO-2022-0236.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2021-31525 #236)
- data/reports/GO-2022-0288.yaml (x/vulndb: potential Go vuln in std: CVE-2021-44716 #288)
- data/reports/GO-2022-0536.yaml (x/vulndb: potential Go vuln in std: CVE-2019-9512, CVE-2019-9514 #536)
- data/reports/GO-2022-0969.yaml (x/vulndb: potential Go vuln in std: CVE-2022-27664 #969)
- data/reports/GO-2022-1144.yaml (x/vulndb: potential Go vuln in std: CVE-2022-41717 #1144)
- data/reports/GO-2023-1495.yaml (x/vulndb: potential Go vuln in golang.org/x/net/http2/h2c: CVE-2022-41721 #1495)
- data/reports/GO-2023-1571.yaml (x/vulndb: potential Go vuln in net/http: CVE-2022-41723 #1571)
- data/reports/GO-2023-1988.yaml (x/vulndb: potential Go vuln in golang.org/x/net/html: CVE-2023-3978 #1988)
- data/reports/GO-2023-2102.yaml (x/vulndb: potential Go vuln in net/http: CVE-2023-39325 #2102)
- data/reports/GO-2024-2687.yaml (x/vulndb: potential Go vuln in net/http: CVE-2023-45288 #2687)
- data/reports/GO-2024-3333.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2024-45338 #3333)
- data/reports/GO-2025-3503.yaml (x/vulndb: potential Go vuln in golang.org/x/net/http/httpproxy: CVE-2025-22870 #3503)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: golang.org/x/net
versions:
- fixed: 0.38.0
vulnerable_at: 0.37.0
summary: golang.org/x/net vulnerable to Cross-site Scripting
cves:
- CVE-2025-22872
ghsas:
- GHSA-vvgc-356p-c3xw
references:
- advisory: https://github.com/advisories/GHSA-vvgc-356p-c3xw
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-22872
- fix: https://go.dev/cl/662715
- report: https://go.dev/issue/73070
- web: https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
source:
id: GHSA-vvgc-356p-c3xw
created: 2025-04-16T20:04:07.924496548Z
review_status: UNREVIEWED