CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-24790

CVSS 9.8v3.1pub. 2024-06-05upd. 2024-11-21

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

🤖 AI Analysis
How it works

IPv4-mapped IPv6 addresses are a special format that allows IPv4 addresses to be represented in IPv6 address space (e.g., ::ffff:127.0.0.1 corresponds to 127.0.0.1). The Is* methods in the net/netip package did not treat these addresses the same as their pure IPv4 counterparts, so for example the address ::ffff:192.168.1.1 was not recognized as private. Applications relying on these functions to make security decisions could as a result incorrectly classify an address and allow access that should be blocked.

Impact

An attacker can bypass filters based on IP address classification (e.g., blocking private addresses, loopback, or link-local), which depending on the application may result in unauthorized access to resources, privilege escalation, or disclosure of sensitive data.

Mitigation & patch

Apply patches available from the vendor according to the references (fix available at go.dev/cl/590316). It is recommended to update to the latest patched version of Go and review the code of applications using Is* methods in the context of IPv4-mapped IPv6 addresses.

Who is affected

Golang Go — versions indicated in the vendor references (see go.dev/issue/67680 and golang-announce mailing list)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Golang Go

    APP
    Golang
    < 1.21.111.22.0 – 1.22.4 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-27143CRITICAL9.8PL ✓ten sam produkt

Błąd arytmetyczny w kompilatorze Golang Go prowadzący do uszkodzenia pamięci

CVE-2025-66630CRITICAL9.2PL ✓ten sam produkt

Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów

CVE-2025-68121CRITICAL10.0PL ✓ten sam produkt

Golang crypto/tls: błędna walidacja certyfikatów przy wznawianiu sesji TLS

CVE-2023-39320CRITICAL9.8ten sam produkt

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relati...

CVE-2023-29405CRITICAL9.8ten sam produkt

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" o...