Primary

Context

Go Punycode Label Handling Privilege Escalation Vulnerability

Vulnerability

Patched

A vulnerability exists in the Go programming language's IDNA package, specifically in the ToASCII and ToUnicode functions. These functions improperly accept Punycode-encoded labels that translate to ASCII-only labels. For instance, ToUnicode('xn--example-.com') mistakenly returns 'example.com' instead of an error. This flaw can lead to privilege escalation in applications that rely on the IDNA package, as it allows bypassing hostname checks that are meant to enforce access controls.

Impact

Exploitation of this vulnerability can result in unauthorized access to resources or functionalities, bypassing intended privilege checks based on hostname validation.

Remediation

Users can upgrade to Go version 1.21.0 or later, where this vulnerability has been addressed.

Added: May 26, 2026, 3:47 PM

Updated: May 26, 2026, 3:47 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

9.2

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

9.2

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Punycode Label Handling Privilege Escalation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang.org/x/net/idna

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating