net/url: insufficient validation of bracketed IPv6 hostnames (CVE-2025-47912)

[neild]

The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue.

This is CVE-2025-47912 and Go issue https://go.dev/issue/75678.

---

This is a PRIVATE issue for CVE-2025-47912, tracked in http://b/436581568 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2680.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #75712 (for 1.24), #75713 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/709838 mentions this issue: [release-branch.go1.24] net/url: enforce stricter parsing of bracketed IPv6 hostnames

[gopherbot]

Change https://go.dev/cl/709857 mentions this issue: net/url: enforce stricter parsing of bracketed IPv6 hostnames

[gopherbot]

Change https://go.dev/cl/709847 mentions this issue: [release-branch.go1.25] net/url: enforce stricter parsing of bracketed IPv6 hostnames