Description
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Published: 2026-03-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unvalidated URL parsing
Action: Update
AI Analysis

Impact

The Go standard library’s net/url package fails to fully validate the host or authority component of URLs, accepting certain malformed IPv6 host literals. This weakness corresponds to CWE-1286 (Improper Validation of Input) and CWE-425 (Host/Authority Parsing Weakness). The insufficient validation means that applications using url.Parse can receive and process URLs that are technically invalid, potentially leading to incorrect logic, unintended behavior, or insecure handling of input data.

Affected Systems

The vulnerability affects the Go standard library’s net/url package across all Go releases that have not yet incorporated the fix referenced in issue 77578. Applications built with Go that rely on the default url.Parse function are subject to this oversight.

Risk and Exploitability

With a CVSS score of 7.5, this issue is classified as high severity. The EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker supplying a crafted URL containing an invalid IPv6 host literal to a Go application that uses net/url.Parse, which may cause the application to treat the malformed URL as valid and lead to unintended behavior or security bypass.

Generated by OpenCVE AI on April 21, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Go release that includes the fix for net/url host parsing.
  • If an upgrade is not feasible, perform explicit validation of the host component before calling url.Parse, ensuring that IPv6 literals conform to proper syntax.
  • Conduct penetration testing with malformed URLs to verify that the application no longer accepts invalid host literals.

Generated by OpenCVE AI on April 21, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses CWE-425
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library net/url
Vendors & Products Go Standard Library
Go Standard Library net/url

Fri, 06 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Title Incorrect parsing of IPv6 host literals in net/url
References

Subscriptions

Go Standard Library Net/url
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-10T13:37:02.459Z

Reserved: 2026-02-05T01:33:41.943Z

Link: CVE-2026-25679

cve-icon Vulnrichment

Updated: 2026-03-10T13:36:57.330Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T22:16:00.720

Modified: 2026-04-21T14:43:03.800

Link: CVE-2026-25679

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-06T21:28:14Z

Links: CVE-2026-25679 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:45:02Z

Weaknesses