Primary

Context

Go net/url Package Invalid URL Handling Vulnerability

Vulnerability

Patched

A vulnerability exists in the Go standard library's net/url package, specifically in the url.Parse function, which improperly validated the host component of URLs. This flaw allowed some invalid URLs to be accepted by treating extraneous characters before an IPv6 literal as negligible. The issue is present in Go versions prior to 1.25.8, as well as in versions from 1.26.0 up to but not including 1.26.1.

Impact

Exploitation of this vulnerability could lead to the acceptance of malformed URLs, potentially causing issues in applications that rely on proper URL validation.

Remediation

Users can upgrade to Go versions 1.25.8 or 1.26.1, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: Mar 6, 2026, 10:25 PM

Updated: Mar 6, 2026, 10:25 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

1.3

exploitability

5.3

remediation

7.7

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

1.3

exploitability

5.3

remediation

7.7

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go net/url Package Invalid URL Handling Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating