The Go Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. This vulnerability allows an attacker to inject malicious URLs, potentially leading to code execution or other security issues.
You're affected if you use Go versions 1.17 and later (due to changes made in Go 1.18). Check with: go version command to verify your Go version.
Upgrade to Go 1.18 or later.
- Immediate mitigations:
- Avoid using the net/url.Parse() function for URL parsing, as it can be exploited by an attacker.
- Use a secure alternative, such as the url package's ParseURL() function.