CVE-2018-17847

Name of the Vulnerable Software and Affected Versions html package (aka x/net/html) versions through 2018-09-25

Description The issue is related to the html package mishandling certain HTML inputs, such as <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop or (*insertionModeStack).pop in node.go, during an html.Parse call. This occurs when the html.Parse function is called with specific invalid inputs.

Recommendations For versions through 2018-09-25, as a temporary workaround, consider avoiding the use of the html.Parse function with untrusted or potentially malformed HTML inputs until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.