Bug 2407247 (CVE-2025-47912) - CVE-2025-47912 net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
Summary: CVE-2025-47912 net/url: Insufficient validation of bracketed IPv6 hostnames i...
Keywords:
Status: NEW
Alias: CVE-2025-47912
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-29 23:01 UTC by OSIDB Bzimport
Modified: 2025-11-11 10:49 UTC (History)
145 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-29 23:01:35 UTC 
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Note You need to log in before you can comment on or make changes to this bug.