net/url: reject IPv6 literal not at start of host (CVE-2026-25679)

[jitsu-net]

The Go standard library function net/url.Parse insufficiently
validated the host/authority component and accepted some invalid URLs
by effectively treating garbage before an IP-literal as ignorable.
The function should have rejected this as invalid.

To prevent this behavior, net/url.Parse now rejects IPv6 literals
that do not appear at the start of the host subcomponent of a URL.

Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.

This is CVE-2026-25679 and https://go.dev/issue/77578.

---

This is a PRIVATE issue for CVE-2026-25679, tracked in http://b/477918287 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3400.

/cc @golang/security and @golang/release

[thatnealpatel]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #77969 (for 1.25), #77970 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/752080 mentions this issue: [release-branch.go1.26] net/url: reject IPv6 literal not at start of host