The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Related CVEs

CVE-2020-29511

Key Information

GHSA ID

GHSA-g7v2-7v9m-q9j4

Published

May 24, 2022 5:36 PM

Last Modified

July 27, 2023 3:30 PM

CVSS Score

9.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: July 18, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.