CVE-2025-47912: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-47912 is a security vulnerability discovered in the Go programming language's URL parsing functionality. The vulnerability was disclosed on October 29, 2025, affecting the Parse function in the net/url package. The issue allows values other than IPv6 addresses to be included in square brackets within the host component of a URL, contrary to RFC 3986 specifications which only permits IPv6 addresses within square brackets (SOURCE, GO PROJECT).

The vulnerability stems from insufficient validation in the Parse function of the net/url package. While RFC 3986 specifies that only IPv6 addresses should be enclosed within square brackets in URL host components (e.g., 'http://[::1]/'), the Parse function failed to enforce this requirement, allowing IPv4 addresses and hostnames to appear within square brackets. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (UBUNTU SEC, NVD).

The vulnerability affects multiple versions of Go, including versions before 1.24.8 and from 1.25.0 before 1.25.2. The impact extends to packages built using affected golang versions, requiring rebuilding once the vulnerability has been fixed (DEBIAN TRACKER).

The vulnerability has been fixed in Go versions 1.24.8 and 1.25.2. Users are advised to upgrade to these patched versions. Additionally, packages built using golang need to be rebuilt after updating to the fixed version (OSS SECURITY).

The vulnerability was discovered and reported by Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University. The Go team promptly addressed the issue by releasing security updates in versions 1.24.8 and 1.25.2 (GO PROJECT).