CVE-2019-14809

EPSS 2.5%

golang-1.11 - security update

Published: 7/1/2022Modified: 3/9/2026

Description

The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

Affected packages (2)

Debian/golang-1.11from 0, < 1.11.6-1+deb10u1
Go/stdlibfrom 0, < 1.11.13, >= 1.12.0-0, < 1.12.8

References (4)

PATCHhttps://go.dev/cl/189258
PATCHhttps://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
REPORThttps://go.dev/issue/29098
WEBhttps://groups.google.com/g/golang-announce/c/65QixT3tcmg