CVE-2025-22872 Information

Apr 17, 2025 cve

Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer this can result in such tags incorrectly being marked as self-closing and when using the Parse functions this can result in content following such tags as being placed in the wrong scope during DOM construction but only when tags are in foreign content (e.g. $etc contexts).$

Reference

https://go.dev/cl/662715 https://go.dev/issue/73070 https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA https://pkg.go.dev/vuln/GO-2025-3595

Share on: