CVE-2025-47911: golang.org/x/net/html has a Quadratic Parsing Complexity issue

February 12, 2026

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to Denial of Service (DoS) if an attacker provides specially crafted HTML content.

References

github.com/advisories/GHSA-w4gw-w5jq-g9jh
github.com/golang/vulndb/issues/4440
go.dev/cl/709876
go.googlesource.com/net
groups.google.com/g/golang-announce/c/jnQcOYpiR2c
nvd.nist.gov/vuln/detail/CVE-2025-47911
pkg.go.dev/vuln/GO-2026-4440

Code Behaviors & Features

Detect and mitigate CVE-2025-47911 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →