CVE-2026-25679
Published: 06 March 2026
Summary
CVE-2026-25679 is a high-severity Forced Browsing (CWE-425) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths.
Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.
Enforcing access for all logical requests prevents unauthorized direct access to protected resources.
Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent.
Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.
Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable flaw in Go's url.Parse that directly results in application or system crash/resource exhaustion (A:H impact, no C/I), mapping to T1499.004 Application or System Exploitation for DoS.
NVD Description
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Deeper analysisAI
CVE-2026-25679 affects the Go programming language's net/url package, specifically the url.Parse function, which insufficiently validates the host/authority component and accepts some invalid URLs. Published on 2026-03-06, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-425.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation results in high-impact denial of service, as indicated by the availability metric.
Mitigation details are provided in official Go advisories and resources, including the vulnerability entry at https://pkg.go.dev/vuln/GO-2026-4601, the announcement at https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk, the issue tracker at https://go.dev/issue/77578, and the code review change at https://go.dev/cl/752180.
Details
- CWE(s)