{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25679", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-05T01:33:41.943Z", "datePublished": "2026-03-06T21:28:14.211Z", "dateUpdated": "2026-03-10T13:37:02.459Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.211Z"}, "title": "Incorrect parsing of IPv6 host literals in net/url", "descriptions": [{"lang": "en", "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."}], "affected": [{"vendor": "Go standard library", "product": "net/url", "collectionURL": "https://pkg.go.dev", "packageName": "net/url", "versions": [{"version": "0", "lessThan": "1.25.8", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "parseHost"}, {"name": "JoinPath"}, {"name": "Parse"}, {"name": "ParseRequestURI"}, {"name": "URL.Parse"}, {"name": "URL.UnmarshalBinary"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input"}]}], "references": [{"url": "https://go.dev/cl/752180"}, {"url": "https://go.dev/issue/77578"}, {"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4601"}], "credits": [{"lang": "en", "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:36:26.554241Z", "id": "CVE-2026-25679", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:37:02.459Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:36:26.554241Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:36:57.330Z"}}], "cna": {"title": "Incorrect parsing of IPv6 host literals in net/url", "credits": [{"lang": "en", "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"}], "affected": [{"vendor": "Go standard library", "product": "net/url", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.8", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.1", "versionType": "semver"}], "packageName": "net/url", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "parseHost"}, {"name": "JoinPath"}, {"name": "Parse"}, {"name": "ParseRequestURI"}, {"name": "URL.Parse"}, {"name": "URL.UnmarshalBinary"}]}], "references": [{"url": "https://go.dev/cl/752180"}, {"url": "https://go.dev/issue/77578"}, {"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4601"}], "descriptions": [{"lang": "en", "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.211Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25679", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:37:02.459Z", "dateReserved": "2026-02-05T01:33:41.943Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-06T21:28:14.211Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D293CC0-B163-4E62-B985-52FB6ECA64C5", "versionEndExcluding": "1.25.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "A40FE3CB-0D03-462B-8A19-4DF1920ABE82", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."}, {"lang": "es", "value": "url.Parse valid\u00f3 insuficientemente el componente de host/autoridad y acept\u00f3 algunas URL inv\u00e1lidas."}], "id": "CVE-2026-25679", "lastModified": "2026-04-21T14:43:03.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T22:16:00.720", "references": [{"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://go.dev/cl/752180"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/77578"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4601"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "net/url: Incorrect parsing of IPv6 host literals in net/url", "id": "2445356", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-1286", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-25679", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-03-06T21:28:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25679\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25679\nhttps://go.dev/cl/752180\nhttps://go.dev/issue/77578\nhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\nhttps://pkg.go.dev/vuln/GO-2026-4601"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "net/url", "source": "cna", "vendor": "Go standard library"}, "product": "net/url", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-16T11:06:23.569215+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Go release that includes the fix for net/url host parsing.", "If an upgrade is not feasible, perform explicit validation of the host component before calling url.Parse, ensuring that IPv6 literals conform to proper syntax.", "Conduct penetration testing with malformed URLs to verify that the application no longer accepts invalid host literals."], "summary": {"action": "Update", "impact": "Unvalidated URL parsing"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Go standard library\u2019s net/url package across all Go releases that have not yet incorporated the fix referenced in issue\u00a077578. Applications built with Go that rely on the default url.Parse function are subject to this oversight.", "description_and_impact": "The Go standard library\u2019s net/url package fails to fully validate the host or authority component of URLs, accepting certain malformed IPv6 host literals. This weak validation means that applications using url.Parse can receive and process URLs that are technically invalid, potentially leading to incorrect logic, unintended behavior, or insecure handling of input data.", "risk_and_exploitability": "With a CVSS score of\u00a07.5, this issue is classified as high severity. The EPSS score of less than\u00a01% indicates a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector involves an attacker supplying a crafted URL containing an invalid IPv6 host literal to a Go application that uses net/url.Parse, which may cause the application to treat the malformed URL as valid and lead to unintended behavior or security bypass."}}}}, "created": "2026-03-09T10:06:18.003081+00:00", "updated": "2026-04-16T11:15:27.680659+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$net/url"]}