{"id":"GO-2024-3333","summary":"Non-linear parsing of case-insensitive content in golang.org/x/net/html","details":"An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.","aliases":["CVE-2024-45338","GHSA-w32m-9786-jp63"],"modified":"2026-03-24T23:55:17.997380Z","published":"2024-12-18T20:22:06Z","related":["CGA-jv42-72qq-9w5c"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-3333"},"references":[{"type":"FIX","url":"https://go.dev/cl/637536"},{"type":"REPORT","url":"https://go.dev/issue/70906"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"}],"affected":[{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.33.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Parse","ParseFragment","ParseFragmentWithOptions","ParseWithOptions","htmlIntegrationPoint","inBodyIM","inTableIM","parseDoctype"],"path":"golang.org/x/net/html"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-3333.json"}}],"schema_version":"1.7.5","credits":[{"name":"Guido Vranken"}]}