Go html parser: HTML tokenizer self-closing tag misinterpretation in Go x/net/html leading to DOM scope errors (CWE-79) (CVE-2025-22872) #shorts

Summary

Welcome to today’s security briefing. In this episode we’re examining CVE-2025-22872, a moderate but potentially impactful bug in the Go html tokenizer. Discovered in April 2025, this flaw can lead to incorrect parsing of certain tags in foreign content contexts like SVG and MathML, potentially resulting in misplaced DOM nodes and unexpected behavior in applications that rely on Go’s html parsing library.

Product details

The vulnerability resides in the Go standard library module golang.org/x/net/html, versions earlier than 0.38.0. Downstream, it affects any software that embeds this module for HTML parsing. Notable distributions shipping impacted code include SUSE Linux Micro 6.1 (notably in Helm deployments, tracked as bsc#1241802) and Fedora 41, which bundles the glow documentation viewer with the vulnerable html parser.

Vulnerability type summary

CVE-2025-22872 is classified under CWE-79, improper neutralization of input during web page generation. It’s not a buffer overflow or memory corruption, but rather an HTML tokenization logic error. By misidentifying tags with unquoted attribute values ending in a slash as self-closing, it alters the Document Object Model structure in foreign content contexts.

Details of the vulnerability

At the root of the issue is how the Go html Tokenizer handles attributes that are unquoted and end with '/'. When parsing tags inside <svg>, <math>, or other non-HTML namespaces, the tokenizer can mark those tags as self-closing even when they’re not intended to be. If you’re using the Tokenizer API directly, you may emit a self-closed token incorrectly. If you rely on the higher-level Parse functions, subsequent elements or text nodes can be placed in the wrong scope, potentially leading to layout errors, DOM injection flaws, or logic bypasses in applications that sanitize or transform HTML based on structural assumptions.

Conclusion

To remediate CVE-2025-22872, upgrade golang.org/x/net/html to version 0.38.0 or later. SUSE Linux Micro 6.1 users should apply the bsc#1241802 patch. Fedora 41 administrators can install the updated glow 2.1.1 package. Although this isn’t a zero-day exploit in the wild, it’s important for all developers and operators using Go’s html parser to update promptly and verify that their XML or foreign-content workflows remain reliable and secure. Thanks for listening—stay safe and keep your dependencies up to date.

Watch the full video on YouTube: CVE-2025-22872

Remediation and exploitation details

This chain involves the following actors

  • Malicious Content Author: Prepares and delivers crafted HTML payloads
  • Go Application Developer: Integrates and uses the Go HTML parser in applications
  • End User: Receives or views the processed HTML content

This following systems are involved

  • golang.org/x/net/html parser (Transforms HTML text into a document object model): Vulnerable component misparsing tags in foreign content
  • Web Application (Accepts and processes user-supplied HTML): Hosts the vulnerable parser call
  • Web Browser (Renders the DOM and executes scripts): Executes injected code

Attack entry point

  • Foreign content HTML input: User-controlled HTML containing tags in <svg> or <math> contexts with unquoted attribute values ending in '/'
  • Call to html.Parse or Tokenizer: Parsing function in a vulnerable version of golang.org/x/net/html

Remediation actions

Go Application Developer
Update golang.org/x/net/html to version 0.38.0 or later
golang.org/x/net/html parser
System Administrator
Apply distribution security updates for SUSE Linux Micro 6.1 or Fedora 41
Operating system packaging

Exploitation actions

Unquoted attribute value ending with '/' is misinterpreted as self-closing

Malicious Content Author
Crafts an HTML payload using a foreign content tag (e.g. <svg>) with an unquoted attribute value that ends in a slash
Web Application input
Examples:
  • <svg><rect data-test=/><script>alert('XSS')</script></svg>

HTTP POST or direct API call with the malicious HTML body

Malicious Content Author
Submits the crafted payload to the application’s HTML parsing endpoint
Web Application
Examples:
  • POST /render HTML: <svg>…</svg>

Tokenizes the unquoted attribute ending with '/' as a self-closing tag

Web Application
Invokes html.Parse on the submitted HTML
golang.org/x/net/html parser
Examples:
  • Parser treats <rect data-test=/> as <rect … /> and closes the <svg> early

Incorrect DOM scoping after misinterpreting a self-close

golang.org/x/net/html parser
Places subsequent <script> tag outside of the foreign content scope
DOM builder in the Go parser
Examples:
  • Script node lands in main HTML tree rather than inside <svg>

Script execution in the user’s context leading to cross-site scripting

Web Browser
Renders the manipulated DOM and executes the injected script
Web Browser
Examples:
  • Alert popup or session token theft via the injected script

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-22872
Description
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
Provider
Go
CWE / problem types
CWE-79
Affected Software Versions
golang.org/x/net:golang.org/x/net/html:[{'version': '0', 'lessThan': '0.38.0', 'status': 'affected', 'versionType': 'semver'}]
Date Published
2025-04-16T17:13:02.550Z
Last Updated
2025-05-16T23:03:07.693Z