net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

RLSA-2026:6383 Important: grafana-pcp security update

The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fixes: net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 For...

[SECURITY] Fedora 40 Update: rust-url-2.5.4-1.fc40

URL library for Rust, based on the WHATWG URL Standard...

[SECURITY] Fedora 42 Update: rust-url-2.5.4-1.fc42

URL library for Rust, based on the WHATWG URL Standard...

GO-2024-3098 The req library may send an unintended request when a malformed URL is provided in github.com/imroc/req

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in...

The vulnerability of the urllib component in the Python programming language allows a hacker to trigger a service failure.

The vulnerability of the urllib component in the Python programming language is related to an uncontrolled consumption of resources. Exploiting this vulnerability allows a remote attacker to cause service interruptions...

New 'ParseThru' Parameter Smuggling Vulnerability Affects Golang-based Applications

Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications. "The newly discovered vulnerability allows a threat actor to bypass validations under certain conditions, as ...

Cross Site Scripting via Improper Input Validation (parser differential)

Description I find that parse-url parses the following URL incorrectly and identifies protocol as ssh: javascript://n.com:-4294967297/?ab=--2509999973799371216494http://user:passser:[email protected]:-4294967297/?a /parseurlfuzz$ node -e 'const parseUrl = require"parse-url";...

GHSA-7F3X-X4PR-WQHJ Server-Side Request Forgery in parse-url

Server-Side Request Forgery SSRF in GitHub repository ionicabizau/parse-url prior to 7.0.0...

CVE-2022-0722

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0...

CVE-2022-2217

Cross-site Scripting XSS - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0...

python: urllib: HTTP client possible infinite loop on a 100 Continue response

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability...

python: urllib: Regular expression DoS in AbstractBasicAuthHandler

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client such as web browser connects to, could trigger a Regular Expression Denial of Service ReDOS during an authentication request with a specially crafted payload that is sen...

Open Redirect in ionicabizau/parse-url

✍️ Description parse-url mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-url sees it as a relative path. Which will lead to SSRF attacks, open redirects, or...

golang: malformed hosts in URLs leads to authorization bypass

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an...

The vulnerability of the urllib3 module in the Python programming language, related to errors in handling registration data, allows attackers to disclose protected information.

The vulnerability of the urllib3 module in the Python programming language is related to errors in handling registration data. Exploiting this vulnerability can allow a remote attacker to disclose sensitive information that is protected by this module...

ALPINE-CVE-2018-16842

Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the toolmsgs.c:voutf function that may result in information exposure and denial of service...

ALPINE-CVE-2016-8615

A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar...

The vulnerability of the software for interacting with servers via cURL arises from buffer overflows in memory, allowing an attacker to execute arbitrary code or cause a service failure.

The vulnerability of the software for interacting with servers via cURL arises due to the overflow of dynamic memory in the buffer when a FTP connection is closed. Exploiting this vulnerability allows a remote attacker to execute arbitrary code or cause a service failure by using long server...