GO-2026-5026

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5026

Import Source

https://vuln.go.dev/ID/GO-2026-5026.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2026-5026

Aliases

CVE-2026-39821

Related

CGA-frmm-xgw5-xmhr

Published

2026-05-22T02:46:43Z

Modified

2026-06-04T05:14:11.686606600Z

Summary

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Details

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-5026"
}

References

Credits

- KC1zs4 (https://github.com/KC1zs4)

Affected packages

Go / golang.org/x/net

Package

Name: golang.org/x/net; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/net

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.55.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/net/idna",
            "symbols": [
                "Profile.ToASCII",
                "Profile.ToUnicode",
                "Profile.process",
                "ToASCII",
                "ToUnicode"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5026.json"