Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

INFO

Published Date :

2025-04-16T17:13:02.550Z

Last Modified :

2025-04-16T20:15:13.433Z

Source :

Go
AFFECTED PRODUCTS

The following products are affected by CVE-2025-22872 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-22872.

URL Resource
https://github.com/advisories/GHSA-vvgc-356p-c3xw cve-icon
https://go.dev/cl/662715 cve-icon cve-icon cve-icon
https://go.dev/issue/73070 cve-icon cve-icon cve-icon
https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-22872 cve-icon
https://pkg.go.dev/vuln/GO-2025-3595 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-22872 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact