Vulnerability DatabaseCVE-2025-47912

CVE-2025-47912:
Golang vulnerability analysis and mitigation

Overview

The vulnerability CVE-2025-47912 affects the Go programming language's net/url package, specifically related to insufficient validation of bracketed IPv6 hostnames. The issue was discovered by researchers Enze Wang, Jingcheng Yang, and Zehui Miao from Tsinghua University and was publicly disclosed on October 7, 2025 (Golang Announce).

Technical details

The vulnerability exists in the Parse function of the net/url package, which incorrectly permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. While RFC 3986 specifically permits IPv6 addresses to be included within the host component enclosed in square brackets (e.g., 'http://[::1]/'), the implementation failed to enforce the requirement that IPv4 addresses and hostnames must not appear within square brackets (Github Issue).

Impact

The vulnerability affects multiple versions of Go, including Go 1.15 through Go 1.24. Various distributions were impacted, including Debian's bullseye (1.15.15-1~deb11u4), bookworm (1.19.8-2), and trixie (1.24.4-1) releases (Debian Tracker).

Mitigation and workarounds

The vulnerability has been patched in Go versions 1.25.2 and 1.24.8. The fixes are available through commits 9fd3ac8a10272afd90312fef5d379de7d688a58e (for Go 1.25.2) and d6d2f7bf76718f1db05461cd912ae5e30d7b77ea (for Go 1.24.8). Users are advised to upgrade to these patched versions (Golang Announce).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

Published October 10, 2025

CNA Score N/A

Affected Technologies

Golang
Linux Debian

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) N/A

Exploitation Probability (EPSS) N/A

Affected packages and libraries

golang-src
golang-tests

Sources

NVD
Alpine Security Tracker
- Alpine 3.22 Has FixAdded at: Oct 13, 2025
- Alpine edge Has FixAdded at: Oct 09, 2025
Debian Security Tracker
- Debian 11 No FixAdded at: Oct 11, 2025
- Debian 12, 13 Severity MEDIUMNo FixAdded at: Oct 11, 2025
- Debian 14 Has FixAdded at: Oct 11, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Golang vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-61725	N/A	N/A	Golang	go1.25-race	No	Yes	Oct 10, 2025
CVE-2025-61724	N/A	N/A	Golang	golang-1.23	No	Yes	Oct 10, 2025
CVE-2025-61723	N/A	N/A	Golang	go1.24-race	No	Yes	Oct 10, 2025
CVE-2025-58189	N/A	N/A	Golang	go1.25-doc	No	Yes	Oct 10, 2025
CVE-2025-58188	N/A	N/A	Golang	golang-1.23	No	Yes	Oct 10, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-47912: Golang vulnerability analysis and mitigation