golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated May 20, 2024
Package
Affected versions
< 0.0.0-20190125002852-4b62a64f59f7
Patched versions
0.0.0-20190125002852-4b62a64f59f7
Description
Published by the National Vulnerability Database
Oct 1, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Feb 7, 2023
Last updated
May 20, 2024
The html package (aka
x/net/html
) through 2018-09-25 in Go mishandles<svg><template><desc><t><svg></template>
, leading to apanic: runtime error
(index out of range) in(*nodeStack).pop
in node.go, called from(*parser).clearActiveFormattingElements
, during anhtml.Parse
call.References