AIKIDO-2026-11039
golang.org/x/net is vulnerable to Improper Validation of Unsafe Equivalence in Input
96
Critical Risk
This Affects:
golang.org/x/netTL;DR
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and if you use the golang.org/x/net/idna functionalities.
Background info
golang.org/x/net is vulnerable to Improper Validation of Unsafe Equivalence in Input in versions 0.0.0 - 0.54.0.
How to fix this
Upgrade the golang.org/x/net library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant