CVE-2026-42503
Remote Code Execution in gopls Debug Mode
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | gopls | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1327 | The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in gopls arises because it normally communicates via pipe, but supports -port and -listen flags for debugging purposes.
If the -listen flag is given a value without specifying a host (for example, :8080), or if the -port flag is used, gopls will listen on all network interfaces (0.0.0.0).
This behavior can cause gopls to unintentionally bind to 0.0.0.0, exposing it to the network.
As a result, a malicious party on the same network could exploit this to execute arbitrary code via gopls.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized remote code execution by attackers on the same network.
Because gopls may listen on all interfaces unintentionally, attackers could gain control over the system running gopls.
This could lead to compromise of confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in gopls allows a malicious party on the same network to execute arbitrary code remotely if certain debugging flags are used improperly, causing gopls to listen on all network interfaces (0.0.0.0).
This exposure could lead to unauthorized access and control over systems running gopls, potentially resulting in data breaches or unauthorized data processing.
Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if gopls is listening on all network interfaces (0.0.0.0) due to the use of the -port or -listen flags without an explicit host.
You can use network scanning or system commands to detect if gopls is bound to 0.0.0.0 on a specific port.
- Use netstat or ss to check listening ports and interfaces, for example: netstat -tuln | grep LISTEN or ss -tuln | grep LISTEN
- Look specifically for gopls processes listening on 0.0.0.0 by running: sudo lsof -i -P -n | grep gopls
- Use nmap from another machine on the same network to scan for open gopls ports, e.g., nmap -p 8080 <target-ip>
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using the -port or -listen flags without specifying an explicit host when running gopls.
Ensure that gopls does not bind to 0.0.0.0 by default, and restrict its listening interface to localhost or a specific IP address.
If debugging is necessary, specify the host explicitly with the -listen flag (e.g., 127.0.0.1:8080) to prevent exposure on all interfaces.
Additionally, monitor your network for unexpected gopls listening services and restrict network access to trusted users only.