Miggo Logo
Miggo Vulnerability Database
CVE-2021-33194

CVE-2021-33194: golang.org/x/net/html Infinite Loop vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-33194
GHSA ID
GHSA-83g2-8m93-v3w7
EPSS Score
0.08893%
CWE
CWE-835
Published
5/24/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
golang.org/x/netgo< 0.0.0-20210520170846-37e1c6afe0230.0.0-20210520170846-37e1c6afe023

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit 37e1c6a specifically modifies inHeadIM in html/parse.go to add checks for foreign content when processing <template> tags. The vulnerability manifests when parsing maliciously crafted ParseFragment inputs mixing foreign content and templates, which the original inHeadIM implementation couldn't handle properly. The added loop checking for non-empty namespaces in open elements and setting ignoreTheRemainingTokens directly addresses the infinite loop scenario. Test cases in parse_test.go (e.g., TestParseFragmentForeignContentTemplates) validate() this fix by ensuring such inputs no longer cause hangs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o t*rou** *.**.** *n* *.**.x t*rou** *.**.* **s * *ol*n*.or*/x/n*t/*tml in*init* loop vi* *r**t** P*rs**r**m*nt input.

Reasoning

T** *ommit ******* sp**i*i**lly mo*i*i*s `in****IM` in `*tml/p*rs*.*o` to *** ****ks *or *or*i*n *ont*nt w**n pro**ssin* <t*mpl*t*> t**s. T** vuln*r**ility m*ni**sts w**n p*rsin* m*li*iously *r**t** `P*rs**r**m*nt` inputs mixin* *or*i*n *ont*nt *n* t