Go net/url Package Bracketed IPv6 Hostname Validation Vulnerability

A vulnerability exists in the Go programming language's net/url package, specifically in the URL parsing function. This vulnerability allows values other than valid IPv6 addresses to be included in square brackets within the host component of a URL. According to RFC 3986, only IPv6 addresses are permitted in this format, while IPv4 addresses and hostnames should not be bracketed. The Parse function failed to properly enforce this restriction, leading to potential misinterpretation of URLs.

Impact

Exploitation of this vulnerability could result in incorrect URL parsing, allowing invalid host components to be processed as if they were valid. This could lead to unexpected behavior in applications that rely on accurate URL parsing, such as network communications or web requests.

Reproduction

The vulnerability can be reproduced by using the Parse function from the net/url package in Go versions prior to 1.24.8 and from 1.25.0 before 1.25.2. When a URL is parsed that includes an IPv4 address or hostname in square brackets, the Parse function will incorrectly accept it as valid, despite RFC 3986 prohibiting this.

Remediation

Users can upgrade to Go versions 1.24.8 or 1.25.2, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.