CVE-2025-22872: golang.org/x/net vulnerable to Cross-site Scripting

April 16, 2025

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

References

github.com/advisories/GHSA-vvgc-356p-c3xw
go.dev/cl/662715
go.dev/issue/73070
groups.google.com/g/golang-announce/c/ezSKR9vqbqA
nvd.nist.gov/vuln/detail/CVE-2025-22872
pkg.go.dev/vuln/GO-2025-3595

Code Behaviors & Features

Detect and mitigate CVE-2025-22872 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →