Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
CVE-2024-24790

9.8CRITICAL

Key Information:

Vendor: Go Standard Library
Status: Net/netip
Vendor: CVE Published:; 5 June 2024

What is CVE-2024-24790?

The vulnerability arises from the failure of specific methods such as IsPrivate and IsLoopback to handle IPv4-mapped IPv6 addresses accurately. Instead of recognizing these addresses correctly, the methods return unexpected false values. As a result, this inconsistency can lead to misinterpretation of network traffic and expose applications to incorrect access controls or routing behaviors. This issue poses a significant risk, especially in environments relying on accurate address verification.

Affected Version(s)

net/netip 0 < 1.21.11

net/netip 1.22.0-0 < 1.22.4

References

https://go.dev/cl/590316

https://go.dev/issue/67680

https://groups.google.com/g/golang-announce/c/XbxouI9gY7k...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 5, 2024

Credit

Enze Wang of Alioth (@zer0yu)

Jianjun Chen of Zhongguancun Lab (@chenjj)

Go Standard Library

What is CVE-2024-24790?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit