CVE-2025-22872: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-22872 is a vulnerability discovered in the golang.org/x/net/html package that affects the HTML tokenizer functionality. The vulnerability was disclosed on April 16, 2025, and affects versions before v0.38.0. The issue involves incorrect interpretation of tags with unquoted attribute values that end with a solidus character (/) as self-closing tags (Go Vuln DB, NVD).

The vulnerability occurs when the tokenizer incorrectly interprets tags with unquoted attribute values ending with a solidus character (/) as self-closing. When using the Tokenizer directly, affected tags are incorrectly marked as self-closing. When using Parse functions, content following such tags may be placed in the wrong scope during DOM construction, specifically when tags are in foreign content contexts (e.g., SVG, MathML). The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L (NVD).

The vulnerability can result in the tokenizer emitting incorrect tokens and the parser producing an incorrect HTML DOM structure. This affects any tags when using Tokenizer directly, but only impacts tags inside foreign content contexts when using Parse functions (including ParseFragment, ParseFragmentWithOption, and ParseWithOptions) (Golang Announce).

The vulnerability has been fixed in golang.org/x/net version v0.38.0. Users are advised to upgrade to this version to address the security issue (Go Vuln DB).

The vulnerability was responsibly disclosed and reported by Sean Ng. The Go Security team has addressed the issue promptly by releasing a patch and coordinating the disclosure through proper channels (Golang Announce).