News KrakenD Partners with Digital Platform Solutions to Expand Reach in Pakistan

CVE-2026-25680 Medium False Positive

html: Denial of Service via Cubic Complexity During Tree Construction

This CVE does not affect KrakenD

KrakenD is an API gateway and does not use golang.org/x/net/html to parse HTML content from user requests. The vulnerable HTML parsing code path is never invoked during KrakenD operation.

Addressed through routine dependency maintenance in CE 2.13.6 and EE 2.13.4.

Component

golang.org/x/net (html)

Disclosed

May 26, 2026

Description

Go’s golang.org/x/net/html package uses a cubic-complexity algorithm when constructing the HTML parse tree for certain pathological inputs. A crafted HTML document can cause the parser to perform an excessive amount of work, leading to denial of service.

References

View CVE-2026-25680 on Go Issue Tracker

Stay up to date with KrakenD releases and important updates