CVE-2026-39821

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

CVSS 9.6 CRITICALEPSS 0.3%CWE-1289

In short

A flaw in Go's domain name processing allows attackers to bypass security checks by using a hidden encoding (Punycode) for domain names. An attacker could gain unauthorized access by using an encoded version of a domain that a security system thought it had blocked.

Technical detail

The idna package's ToASCII and ToUnicode functions fail to reject Punycode-encoded labels that decode to ASCII-only strings, enabling bypass of hostname-based access controls. An attacker can supply a Punycode domain (e.g., 'xn--example-.com') that decodes to a legitimate ASCII domain, allowing the application to pass validation checks that would normally deny the ASCII version, leading to privilege escalation.

Summary generated and translated by AI from the official description.

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products

golang.org/x/net · golang.org/x/net/idna

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://go.dev/cl/767220 https://go.dev/issue/78760 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://pkg.go.dev/vuln/GO-2026-5026