References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

NVD-CWE-noinfo

OR
          *cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* versions up to (excluding) 1.24.8
          *cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* versions from (including) 1.25.0 up to (excluding) 1.25.2

CVE: http://www.openwall.com/lists/oss-security/2025/10/08/1 Types: Mailing List, Release Notes

Go Project: https://go.dev/cl/709857 Types: Patch

Go Project: https://go.dev/issue/75678 Types: Issue Tracking

Go Project: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI Types: Mailing List, Release Notes

Go Project: https://pkg.go.dev/vuln/GO-2025-4010 Types: Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/10/08/1

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

https://go.dev/cl/709857

https://go.dev/issue/75678

https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

https://pkg.go.dev/vuln/GO-2025-4010