CVE-2025-22872 is a medium severity vulnerability identified in the golang.org/x/net/html package, specifically in the HTML tokenizer component. The issue arises from the tokenizer's incorrect handling of tags with unquoted attribute values that end with a solidus character (/). In such cases, the tokenizer mistakenly interprets these tags as self-closing. This misinterpretation affects the parsing logic, particularly when the tags are within foreign content contexts such as <math> or <svg>. When using the Tokenizer directly, tags may be incorrectly marked as self-closing, and when using higher-level Parse functions, this can lead to content following these tags being placed in an incorrect scope in the Document Object Model (DOM) tree. This parsing flaw can result in improper DOM construction, which is a classic vector for Cross-Site Scripting (XSS) vulnerabilities (CWE-79). Although no known exploits are currently reported in the wild, the vulnerability has a CVSS 3.1 base score of 6.5, reflecting a medium severity with network attack vector, high attack complexity, no privileges or user interaction required, and a scope change. The impact includes limited confidentiality, integrity, and availability losses due to potential injection or manipulation of DOM content in applications that rely on this package for HTML parsing, especially in contexts involving foreign content. This vulnerability is relevant to any software written in Go that uses the golang.org/x/net/html package for parsing HTML, particularly when processing untrusted or user-supplied input containing foreign content tags with unquoted attribute values ending in a solidus.

For European organizations, the impact of CVE-2025-22872 depends largely on their use of Go-based software that incorporates the golang.org/x/net/html package for HTML parsing. Organizations developing or deploying web applications, content management systems, or services that parse and manipulate HTML content—especially those handling foreign content like SVG or MathML—may be at risk. The vulnerability could allow attackers to craft malicious HTML inputs that exploit the tokenizer's misinterpretation, potentially leading to Cross-Site Scripting (XSS) attacks. Such attacks can compromise user data confidentiality, session integrity, and application availability by injecting malicious scripts or manipulating DOM structures. This is particularly critical for sectors handling sensitive data such as finance, healthcare, and government services prevalent in Europe. Moreover, the scope change indicated in the CVSS vector suggests that the vulnerability could affect components beyond the immediate parsing function, potentially impacting downstream systems or services that consume the parsed DOM. Although no exploits are currently known, the medium severity and the nature of the vulnerability warrant proactive mitigation to prevent future exploitation, especially in environments with high regulatory compliance requirements like GDPR.

To mitigate CVE-2025-22872, European organizations should take the following specific actions: 1) Audit all Go-based applications and services to identify usage of the golang.org/x/net/html package, focusing on components that parse HTML content containing foreign elements such as <svg> and <math>. 2) Apply patches or updates from the golang.org/x/net maintainers as soon as they become available; if no official patch exists yet, consider implementing temporary input validation to reject or sanitize HTML inputs with unquoted attribute values ending in a solidus within foreign content tags. 3) Employ strict Content Security Policies (CSP) in web applications to limit the impact of potential XSS attacks by restricting script execution and resource loading. 4) Use additional HTML sanitization libraries that correctly handle foreign content and attribute quoting to preprocess inputs before parsing. 5) Conduct thorough security testing, including fuzzing and static analysis, targeting HTML parsing routines to detect similar parsing anomalies. 6) Educate developers about the risks of improper HTML parsing and encourage secure coding practices around input handling and DOM manipulation. 7) Monitor security advisories from the Go project and related communities for updates or exploit reports. These targeted steps go beyond generic advice by focusing on the specific parsing context and the nature of the vulnerability.