CVE-2018-17846 — Infinite loop due to improper handling of "select" tags in golang.org/x/net/html

Description

html.Parse does not properly handle "select" tags, which can lead to an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.

How to fix CVE-2018-17846

To remediate CVE-2018-17846, upgrade the affected package to a fixed version below.

Go/golang.org/x/net—upgrade to 0.0.0-20190125091013-d26f9f9a57f3 or later
—upgrade to 0.0.0-20190125091013-d26f9f9a57f3 or later

Is CVE-2018-17846 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.0.0-20190125091013-d26f9f9a57f3
from 0, < 0.0.0-20190125091013-d26f9f9a57f3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-17846
WEBgithub.com/golang/go/issues/27842
WEBgo.dev/issue/27842
WEBgo.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
WEBgo-review.googlesource.com