x/net/html: ParseFragment out of memory on specially crafted input

[personnumber3377]

Go version

go1.23.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/oof/.cache/go-build'
GOENV='/home/oof/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/oof/.asdf/installs/golang/1.23.1/packages/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/oof/.asdf/installs/golang/1.23.1/packages'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/oof/.asdf/installs/golang/1.23.1/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/oof/.asdf/installs/golang/1.23.1/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.1'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/oof/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD=''
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1768793625=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Hi!

I originally reported this as a security issue, but this wasn't categorized as such, so I am just going to paste the original report here:

Summary: Out-Of-Memory (OOM) in net/html in golang

Program: Google VRP

URL: https://github.com/golang/net/

Vulnerability type: Denial of Service (DoS)

Details
An attacker can cause Out-Of-Memory by passing a maliciously crafted input to html.ParseFragment. The input is this string: "<svg><head><title><select><input>" which makes the program consume all of the systems available memory.

Here is an example program which demonstrates this vulnerability:


package main

import (
	"golang.org/x/net/html"
	"strings"
)

func main() {
	html.ParseFragment(strings.NewReader("<svg><head><title><select><input>"), nil)
}


My golang version is go version go1.23.1 linux/amd64 and I am using the v0.30.0 version of the net library.

This vulnerability does not occur in html.Parse, only in html.ParseFragment which I found a bit odd.

Attack scenario
An attacker can use this vulnerability to cause degradation in performance and Denial-Of-Service if said attacker can deliver malicious input to html.ParseFragment . The effects of this vulnerability are basically the same as any other OOM bug. I uploaded all the files which I played around with as files.zip.

What did you see happen?

This causes an out-of-memory condition when parsing a specially crafted input.

What did you expect to see?

The program should parse the input or fail with an error, not consume all of the systems memory.

[gabyhelp]

Related Issues and Documentation

• x/net: 6 high vulnerabilities exist in golang.org/x/net #41419 (closed)
• x/net/html: html.Parse() panic caused by malformed data #27702 (closed)
• x/net/html: panic: runtime error: invalid memory address or nil pointer dereference #27704 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[odeke-em]

Thank you @personnumber3377 for reporting this bug. Given that this is a security bug, I shall route it to @rolandshoemaker and @golang/security. Thanks for the vector, interestingly I was fuzzing x/net/html.Parse given similar inputs found by @tr3ee in a whole range of issues for Parse.

[guidovranken]

html.Parse is also affected (presumably the same issue but I haven't checked):

package main

import (
    "golang.org/x/net/html"
    "strings"
)

func main() {
    html.Parse(strings.NewReader("<table><tbody><svg><td><desc><select></select></tbody>"))
}

[logrusorgru]

go version go1.23.5 linux/amd64

Local testing go.mod:

golang.org/x/net v0.34.0

go.sum:

golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=

---

This

package main

import (
	"golang.org/x/net/html"
	"strings"
)

func main() {
	html.ParseFragment(strings.NewReader("<svg><head><title><select><input>"), nil)
}

Ends quickly without a problem.

But this

package main

import (
    "golang.org/x/net/html"
    "strings"
)

func main() {
    html.Parse(strings.NewReader("<table><tbody><svg><td><desc><select></select></tbody>"))
}

Leads to infinity processing. No memory eating at a 1 minute distance found.