CVE-2025-47911 identifies a denial of service vulnerability in the golang.org/x/net/html package, specifically in the html.Parse function. The root cause is the quadratic time complexity of the parsing algorithm when handling certain crafted HTML inputs. This means that the time and resources required to parse input grow disproportionately with input size, allowing attackers to craft inputs that cause excessive CPU and memory consumption. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that it can exhaust system resources and degrade or halt service availability. The vulnerability affects all versions of the package prior to the fix, with no patch currently published. Exploitation does not require authentication or user interaction, and no known exploits have been observed in the wild yet. The golang.org/x/net/html package is widely used in Go applications for HTML parsing, including web servers, crawlers, and other networked services. An attacker can exploit this vulnerability by submitting specially crafted HTML content to a vulnerable service, causing it to consume excessive resources and potentially crash or become unresponsive. This can lead to denial of service conditions, impacting service availability and reliability. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

For European organizations, this vulnerability poses a significant risk to any service or application that uses the golang.org/x/net/html package to parse HTML content, especially if that content is user-supplied or otherwise untrusted. The uncontrolled resource consumption can lead to denial of service, causing service outages or degraded performance. This can affect web services, APIs, and backend systems, potentially disrupting business operations and customer-facing services. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure that rely on Go-based applications may face operational risks and reputational damage. Additionally, the increased resource usage could lead to higher operational costs due to scaling or recovery efforts. Since exploitation does not require authentication or user interaction, the attack surface is broad, increasing the likelihood of opportunistic attacks. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

European organizations should implement the following specific mitigations: 1) Monitor and audit usage of the golang.org/x/net/html package in internal and third-party applications to identify vulnerable versions. 2) Apply strict input validation and sanitization to limit the size and complexity of HTML content accepted from untrusted sources. 3) Implement resource usage limits such as CPU timeouts, memory caps, and request rate limiting on services that parse HTML to prevent resource exhaustion. 4) Use sandboxing or containerization to isolate parsing processes, minimizing impact on critical systems. 5) Stay informed about official patches or updates from the Go project and plan timely upgrades once fixes are released. 6) Consider alternative HTML parsing libraries with better performance characteristics if immediate patching is not feasible. 7) Conduct stress testing with crafted inputs to evaluate system resilience and tune defenses accordingly. 8) Employ Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) to detect and block suspicious payloads targeting this vulnerability.