Search for vulnerabilities
Vulnerability details: VCID-8mqq-xttn-byh2
Vulnerability ID VCID-8mqq-xttn-byh2
Aliases CVE-2025-22872
GHSA-vvgc-356p-c3xw
Summary golang.org/x/net vulnerable to Cross-site Scripting The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22872.json
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2025-22872
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.5 https://go.dev/cl/662715
generic_textual MODERATE https://go.dev/cl/662715
ssvc Track https://go.dev/cl/662715
cvssv3.1 6.5 https://go.dev/issue/73070
generic_textual MODERATE https://go.dev/issue/73070
ssvc Track https://go.dev/issue/73070
cvssv3.1 6.5 https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
generic_textual MODERATE https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
ssvc Track https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-22872
cvssv3.1 6.5 https://pkg.go.dev/vuln/GO-2025-3595
generic_textual MODERATE https://pkg.go.dev/vuln/GO-2025-3595
ssvc Track https://pkg.go.dev/vuln/GO-2025-3595
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20250516-0007
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22872.json
https://api.first.org/data/v1/epss?cve=CVE-2025-22872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22872
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://go.dev/cl/662715
https://go.dev/issue/73070
https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
https://nvd.nist.gov/vuln/detail/CVE-2025-22872
https://pkg.go.dev/vuln/GO-2025-3595
https://security.netapp.com/advisory/ntap-20250516-0007
https://security.netapp.com/advisory/ntap-20250516-0007/
1103586 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103586
2360404 https://bugzilla.redhat.com/show_bug.cgi?id=2360404
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22872.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://go.dev/cl/662715
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T20:14:29Z/ Found at https://go.dev/cl/662715
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://go.dev/issue/73070
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T20:14:29Z/ Found at https://go.dev/issue/73070
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T20:14:29Z/ Found at https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://pkg.go.dev/vuln/GO-2025-3595
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T20:14:29Z/ Found at https://pkg.go.dev/vuln/GO-2025-3595
Exploit Prediction Scoring System (EPSS)
Percentile 0.01155
EPSS Score 0.00012
Published At April 17, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-04-16T23:17:20.324306+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-vvgc-356p-c3xw/GHSA-vvgc-356p-c3xw.json 36.0.0