Go Standard Library Net Url vulnerabilities

CVE-2026-25679 [HIGH] CVE-2026-25679: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2025-61726 [HIGH] CWE-770 CVE-2025-61726: The net/url package does not set a limit on the number of query parameters in a query. While the max The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memo

CVE-2025-47912 [MEDIUM] CVE-2025-47912: The Parse function permits values other than IPv6 addresses to be included in square brackets within The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce t

CVE-2022-32190 [HIGH] CWE-22 CVE-2022-32190: JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.