CVE-2026-42503 | THREATINT

Description

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.

PUBLISHED Reserved 2026-04-28 | Published 2026-05-06 | Updated 2026-05-07 | Assigner Go

Problem types

CWE-1327 Binding to an unrestricted IP address

Product status

Default status

unaffected

0.0.0 (semver) before 0.22.0

affected

References

go.dev/issue/79211

go.dev/cl/774381

cve.org (CVE-2026-42503)

nvd.nist.gov (CVE-2026-42503)

Download JSON