CVE-2025-47912

Summary

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected Software

VendorProductVersion RangeStatus
Go standard librarynet/url0 < 1.24.8affected
Go standard librarynet/url1.25.0 < 1.25.2affected

Weaknesses

  • CWE-1286: Improper Validation of Syntactic Correctness of Input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References