CVE-2025-47912

Name

CVE-2025-47912

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security@golang.org	https://go.dev/cl/709857
security@golang.org	https://go.dev/issue/75678
security@golang.org	https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
security@golang.org	https://pkg.go.dev/vuln/GO-2025-4010
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/10/08/1

CPE URI	Source package	Min version	Max version
	net/url	>= 0	< 1.24.8
	net/url	>= 1.25.0	< 1.25.2

Source package	Branch	Version	Maintainer	Status
go	edge-community	1.25.2-r0	Achill Gilgenast <achill@achill.org>	fixed
go	3.22-community	1.24.8-r0	None	fixed

References

Match rules

Vulnerable and fixed packages