Home

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

PUBLISHED Reserved 2025-05-13 | Published 2025-10-29 | Updated 2025-10-29 | Assigner Go

Problem types

CWE-1286: Improper Validation of Syntactic Correctness of Input

Product status

Default status
unaffected

Any version before 1.24.8
affected

1.25.0 (semver) before 1.25.2
affected

Credits

Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University

References

go.dev/issue/75678

go.dev/cl/709857

groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

pkg.go.dev/vuln/GO-2025-4010

cve.org (CVE-2025-47912)

nvd.nist.gov (CVE-2025-47912)

Download JSON