net/url: ipv4 mapped ipv6 addresses should be valid in square brackets

[hartwork]

Related to: #75678

---

Hi! 👋

I've been asked to turn #75678 (comment) into a dedicated issue…

The recent fix to vulnerability CVE-2025-47912 in commit f6f4e8b introduced a test case…

go/src/net/url/url_test.go

Line 729 in d4830c6

{"https://[::ffff:192.0.2.1]", false},

…that is in conflict with RFC 3986: The URI/URL is well-formed with regard to RFC 3986 — mapped IPv4 addresses are allowed (rather than forbidden) by RFC 3986 — and so the expected result is true rather than false: the URI/URL should not be rejected.

Would be cool if that could be fixed. Thanks!

PS: Full disclosure, I'm the author of https://github.com/uriparser/uriparser that implements RFC 3986 in C89.

Best, Sebastian

---

CC @rolandshoemaker

[rolandshoemaker]

cc @ethanalee-work

[gabyhelp]

Related Issues

• net/url: insufficient validation of bracketed IPv6 hostnames (CVE-2025-47912) #75678 (closed)
• net/url: Parse doesn't support RFC 6847: literal IPv6 address w/ zone in URI #6530 (closed)
• net/url: better handling or documentation of IPv6 addresses in url.URL.Host #61276 (closed)
• net: Unable to reliably distinguish IPv4-mapped-IPv6 addresses from regular IPv4 addresses #37921
• net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses [CVE-2024-24790] #67680 (closed)
• net/url: make URL parsing return an error on IPv6 literal without brackets #31024

Related Code Changes

• net/url: make Parse return an error for IPv6 literals without brackets
• [release-branch.go1.25] net/url: enforce stricter parsing of bracketed IPv6 hostnames
• net/url: enforce stricter parsing of bracketed IPv6 hostnames
• [release-branch.go1.24] net/url: enforce stricter parsing of bracketed IPv6 hostnames

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/710375 mentions this issue: net/url: allow IP-literals with IPv4-mapped IPv6 addresses