CVE-2021-33194: golang.org/x/net/html Infinite Loop vulnerability
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.08893%
CWE
Published
5/24/2022
Updated
5/20/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| golang.org/x/net | go | < 0.0.0-20210520170846-37e1c6afe023 | 0.0.0-20210520170846-37e1c6afe023 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit 37e1c6a specifically modifies inHeadIM in html/parse.go to add checks for foreign content when processing <template> tags. The vulnerability manifests when parsing maliciously crafted ParseFragment inputs mixing foreign content and templates, which the original inHeadIM implementation couldn't handle properly. The added loop checking for non-empty namespaces in open elements and setting ignoreTheRemainingTokens directly addresses the infinite loop scenario. Test cases in parse_test.go (e.g., TestParseFragmentForeignContentTemplates) validate() this fix by ensuring such inputs no longer cause hangs.