CVE-2025-47912
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-29

Last updated on: 2025-11-04

Assigner: Go Project

Description
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-29
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-10-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-47912
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
golang go From 1.25.0 (inc) to 1.25.2 (inc)
golang go 1.25.2
golang go 1.24.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because the Parse function allows values other than IPv6 addresses to be enclosed in square brackets within the host component of a URL. According to RFC 3986, only IPv6 addresses should be enclosed in square brackets in the host part of a URL, while IPv4 addresses and hostnames must not be enclosed this way. The Parse function does not enforce this rule, which can lead to improper URL parsing.

Impact Analysis

This vulnerability can lead to incorrect parsing of URLs, potentially causing security issues such as bypassing input validation, misrouting of network requests, or other unexpected behavior in applications that rely on strict URL parsing. This could be exploited to manipulate how URLs are interpreted, possibly leading to security risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-47912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart