Vulnerability Report: GO-2022-0211

standard library

The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

Affected Packages

Aliases

References

Credits

  • Julian Hector, Nikolai Krein from Cure53, Adi Cohen (adico.me)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL