CVE-2025-47912 Overview
CVE-2025-47912 affects the Go standard library net/url package. The Parse function fails to enforce RFC 3986 host-component rules. Specifically, it accepts arbitrary values inside square brackets in a URL host, when those brackets must be reserved for IPv6 literals such as http://[::1]/. IPv4 addresses and hostnames placed within square brackets are accepted without error. Applications that rely on url.Parse to extract or validate the host can be misled into trusting a malformed authority component. This creates an input validation weakness that can support URL parser confusion attacks against Go programs and downstream services.
Critical Impact
Inconsistent URL host parsing in Go can enable validation bypass and parser-differential attacks against allowlists, SSRF filters, and routing logic that depend on url.Parse.
Affected Products
- Golang Go standard library (net/url package)
- Applications and services built with affected Go versions that invoke url.Parse
- Downstream libraries relying on net/url for host validation
Discovery Timeline
- 2025-10-29 - CVE-2025-47912 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-47912
Vulnerability Analysis
The vulnerability is an Improper Input Validation issue in the Go net/url.Parse function. RFC 3986 reserves square brackets in the URL authority component exclusively for IP-literal forms, primarily IPv6 addresses. The Go parser does not enforce this constraint and allows arbitrary content such as IPv4 addresses or DNS hostnames to appear inside brackets. As a result, a URL like http://[127.0.0.1]/ or http://[example.com]/ parses successfully and exposes a host value that does not match what other RFC-compliant parsers would accept.
The practical risk is parser differential behavior. Security controls that perform host allowlisting, SSRF prevention, redirect validation, or origin checks using url.Parse may see one value, while a downstream HTTP client, proxy, or browser interprets the same URL differently. This mismatch can be used to bypass validation logic without triggering an error from the parser.
Root Cause
The root cause is missing structural validation in the host-parsing branch of net/url. The parser strips the surrounding brackets and stores the inner value as the host without verifying that the content is a valid IP-literal as required by RFC 3986 Section 3.2.2.
Attack Vector
An attacker supplies a crafted URL containing bracketed non-IPv6 content to an application that uses url.Parse for validation. The application accepts the URL as well-formed and processes it under incorrect assumptions about the host. Network reachability is sufficient for exploitation, and no authentication or user interaction is required. Exploitation details depend on how the calling application uses the parsed host. See the Go.dev Vulnerability Report for technical specifics.
Detection Methods for CVE-2025-47912
Indicators of Compromise
- HTTP request logs containing URLs with bracketed hosts that are not valid IPv6 literals, such as http://[127.0.0.1]/ or http://[internal.service]/
- Outbound connection attempts to internal addresses originating from services that should restrict targets via URL allowlists
- Discrepancies between logged request URLs and resolved destination hosts
Detection Strategies
- Inventory Go binaries and modules in the environment and identify those built against vulnerable versions referenced in GO-2025-4010
- Run govulncheck across source repositories and CI pipelines to flag dependent code paths
- Inspect web server, proxy, and WAF logs for request URIs containing [ and ] in the host position
Monitoring Recommendations
- Alert on URLs whose bracketed host content fails strict IPv6 validation at ingress proxies
- Correlate application logs of parsed host values with actual TCP destinations to detect parser-differential behavior
- Track outbound requests from internet-facing Go services to RFC 1918 ranges and other internal targets
How to Mitigate CVE-2025-47912
Immediate Actions Required
- Upgrade Go to the fixed release identified in the Go security announcement and rebuild affected binaries
- Run govulncheck ./... against all Go projects to identify code paths that reach the vulnerable function
- Audit application code that performs host allowlisting or SSRF filtering using url.Parse and add explicit IP-literal validation
Patch Information
The Go team published the fix in change CL 709857, tracked in issue 75678. Details and affected versions are documented in the Go.dev Vulnerability Report GO-2025-4010. Rebuild all Go applications with the patched toolchain — installing a newer Go runtime alone does not update existing binaries.
Workarounds
- Reject incoming URLs whose host begins with [ unless the bracketed content parses as a valid IPv6 address via net.ParseIP
- Normalize and re-validate host components after calling url.Parse and before using them in security decisions
- Place a strict RFC 3986 compliant reverse proxy in front of Go services to filter malformed authority components
# Verify installed Go version and scan modules for the advisory
go version
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
