CVE-2018-17847: golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.75005%
CWE
Published
5/13/2022
Updated
5/20/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
golang.org/x/net | go | < 0.0.0-20190125002852-4b62a64f59f7 | 0.0.0-20190125002852-4b62a64f59f7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key functions:
- (*nodeStack).contains in node.go failed to distinguish namespaces, allowing invalid stack states. The commit 4b62a64 explicitly fixes this by adding namespace checks.
- (*parser).clearActiveFormattingElements in parse.go directly interacts with the stack and triggered the panic via 'pop' after relying on the faulty 'contains' logic. The stack trace in the issue (#27846) and CVE description both implicate this function as the panic entry point. Both functions are necessary to reproduce the vulnerability.