Fluid Attacks Database

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	golang.org/x/net	>=0 <0.55.0	0.55.0
debian 11	golang-golang-x-net	=1:0.0+git20210119.5f4716e+dfsg-4 \|\| =1:0.0+git20210805.aaa1db6+dfsg-1 \|\| =1:0.0+git20211209.491a49a+dfsg-1 \|\| =1:0.0+git20211209.491a49a+dfsg-1~bpo11+1 \|\| =1:0.0+git20220225.27dd868+dfsg-1 \|\| =1:0.0+git20220531.c960675+dfsg-1 \|\| =1:0.0+git20220624.1bab6f3+dfsg-1 \|\| =1:0.0+git20220728.c7608f3+dfsg-1 \|\| =1:0.0+git20220728.c7608f3+dfsg-2 \|\| =1:0.0+git20220728.c7608f3+dfsg-2~bpo11+1 \|\| =1:0.0+git20221012.0b7e1fb+dfsg-1 \|\| =1:0.0+git20221012.0b7e1fb+dfsg-1~bpo11+1 \|\| =1:0.1.0+dfsg-1 \|\| =1:0.10.0-1 \|\| =1:0.11.0-1 \|\| =1:0.14.0-1 \|\| =1:0.15.0-1 \|\| =1:0.15.0-2 \|\| =1:0.17.0+dfsg-1 \|\| =1:0.19.0+dfsg-1 \|\| =1:0.20.0+dfsg-1 \|\| =1:0.21.0+dfsg-1 \|\| =1:0.22.0+dfsg-1 \|\| =1:0.23.0+dfsg-1 \|\| =1:0.24.0+dfsg-1 \|\| =1:0.25.0+dfsg-1 \|\| =1:0.26.0+dfsg-1 \|\| =1:0.26.0+dfsg-2 \|\| =1:0.27.0-1 \|\| =1:0.27.0-2 \|\| =1:0.4.0+dfsg-1 \|\| =1:0.47.0-1 \|\| =1:0.47.0-2 \|\| =1:0.53.0-1 \|\| =1:0.53.0-2 \|\| =1:0.53.0-2~bpo13+1 \|\| =1:0.55.0-1 \|\| =1:0.7.0+dfsg-1	-
debian 12	golang-golang-x-net	=1:0.10.0-1 \|\| =1:0.11.0-1 \|\| =1:0.14.0-1 \|\| =1:0.15.0-1 \|\| =1:0.15.0-2 \|\| =1:0.17.0+dfsg-1 \|\| =1:0.19.0+dfsg-1 \|\| =1:0.20.0+dfsg-1 \|\| =1:0.21.0+dfsg-1 \|\| =1:0.22.0+dfsg-1 \|\| =1:0.23.0+dfsg-1 \|\| =1:0.24.0+dfsg-1 \|\| =1:0.25.0+dfsg-1 \|\| =1:0.26.0+dfsg-1 \|\| =1:0.26.0+dfsg-2 \|\| =1:0.27.0-1 \|\| =1:0.27.0-2 \|\| =1:0.47.0-1 \|\| =1:0.47.0-2 \|\| =1:0.53.0-1 \|\| =1:0.53.0-2 \|\| =1:0.53.0-2~bpo13+1 \|\| =1:0.55.0-1 \|\| =1:0.7.0+dfsg-1	-
debian 13	golang-golang-x-net	=1:0.27.0-2 \|\| =1:0.47.0-1 \|\| =1:0.47.0-2 \|\| =1:0.53.0-1 \|\| =1:0.53.0-2 \|\| =1:0.53.0-2~bpo13+1 \|\| =1:0.55.0-1	-
debian 14	golang-golang-x-net	=1:0.27.0-2 \|\| =1:0.47.0-1 \|\| =1:0.47.0-2 \|\| =1:0.53.0-1 \|\| =1:0.53.0-2 \|\| =1:0.53.0-2~bpo13+1 \|\| =1:0.55.0-1	-

Aliases

1. CVE-2026-398212. NVD-2026-398213. OSV-GO-2026-50264. OSV-2026-398215. OSV-DEBIAN-2026-398216. GCVE-2026-398217. SECURITY-TRACKER-CVE-2026-39821

References

1. https://go.dev/cl/7672202. https://go.dev/issue/787603. https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.