CVE-2025-22872

6.5 MEDIUM
Published: April 16, 2025 Modified: April 15, 2026
View on NVD

Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://go.dev/cl/662715
Source: security@golang.org
https://go.dev/issue/73070
Source: security@golang.org
https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
Source: security@golang.org
https://pkg.go.dev/vuln/GO-2025-3595
Source: security@golang.org
https://security.netapp.com/advisory/ntap-20250516-0007/
Source: af854a3a-2127-422b-91ae-364da2661108

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.5 / 10.0
EPSS (Exploit Probability)
0.1%
31th percentile
Exploitation Status
Not in CISA KEV