Andrew Thornton

**Name of the Vulnerable Software and Affected Versions** golang.org/x/net versions prior to v0.0.0-20210520170846-37e1c6afe023 Go versions prior to 1.15.13 and versions 1.16.x through 1.16.4 **Description** The issue allows attackers to cause a denial of service via crafted `ParseFragment` input, resulting in an infinite loop. An attacker can craft an input to `ParseFragment` that causes it to enter an infinite loop and never return. **Recommendations** For golang.org/x/net versions prior to v0.0.0-20210520170846-37e1c6afe023, update to version v0.0.0-20210520170846-37e1c6afe023 or later. For Go versions prior to 1.15.13, update to version 1.15.13 or later. For Go versions 1.16.x through 1.16.4, update to version 1.16.5 or later. As a temporary workaround, consider disabling the `ParseFragment` function until a patch is available.