GCVE - cpe:2.3:a:go_standard_library:net/url:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:go_standard_library:net/url:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Go Standard Library (`50bc78d3-15d0-59a4-bc22-a964570e0614`)
Product	Net/Url (`62670fd9-c917-5c43-911c-c48db6f89e79`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-25679`	vulnerable	2026-06-03 15:18:03.837594	Incorrect parsing of IPv6 host literals in net/url url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Published: 2026-03-06T21:28:14.211Z Updated: 2026-03-10T13:37:02.459Z Open on db.gcve.eu Reference links https://go.dev/cl/752180 https://go.dev/issue/77578 https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk https://pkg.go.dev/vuln/GO-2026-4601	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-61726`	vulnerable	2026-06-03 15:07:57.044996	Memory exhaustion in query parameter parsing in net/url The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Published: 2026-01-28T19:30:31.215Z Updated: 2026-01-29T18:31:59.685Z Open on db.gcve.eu Reference links https://go.dev/cl/736712 https://go.dev/issue/77101 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4341	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-47912`	vulnerable	2026-06-03 15:01:33.612306	Insufficient validation of bracketed IPv6 hostnames in net/url The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Published: 2025-10-29T22:10:13.435Z Updated: 2025-11-04T21:10:57.384Z Open on db.gcve.eu Reference links https://go.dev/issue/75678 https://go.dev/cl/709857 https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI https://pkg.go.dev/vuln/GO-2025-4010	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-32190`	vulnerable	2026-06-03 14:47:20.876111	Failure to strip relative path components in net/url JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. Published: 2022-09-13T17:08:57.000Z Updated: 2024-08-03T07:32:56.001Z Open on db.gcve.eu Reference links https://groups.google.com/g/golang-announce/c/x49AQzIVX-s https://go.dev/issue/54385 https://go.dev/cl/423514 https://pkg.go.dev/vuln/GO-2022-0988	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.