CVE-2026-25680 golang.org/x/net CVE debrief

Who should care

Development teams using Go applications that parse untrusted HTML content, security operations centers monitoring for resource exhaustion attacks, and DevSecOps pipelines tracking dependency vulnerabilities in golang.org/x/net.

Technical summary

The `golang.org/x/net/html` package in versions before 0.55.0 contains a denial-of-service vulnerability. When parsing arbitrary HTML input, the tokenizer can enter a state that consumes excessive CPU time. The CVSS 3.1 score is 6.5 (Medium), with network attack vector, low complexity, no required privileges, and required user interaction. The confidentiality and integrity impacts are none, with high availability impact. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The fix was committed in Go change list 781702 and tracked as issue 79573.

Defensive priority

medium

Recommended defensive actions

• Upgrade golang.org/x/net to version 0.55.0 or later.
• Review applications that parse untrusted HTML using golang.org/x/net/html and implement input size limits or timeout controls as defense in depth.
• Monitor Go security announcements for related updates.

Evidence notes

The NVD record lists the vulnerability status as 'Analyzed' with CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H scoring 6.5. CPE criteria identifies cpe:2.3:a:golang:net:*:*:*:*:*:go:*:* as vulnerable with versionEndExcluding 0.55.0. Weakness enumeration is CWE-400 (Uncontrolled Resource Consumption). Source references include the Go change list, issue tracker, security announcement mailing list, and official Go vulnerability database entry GO-2026-5028.

Official resources