← back
CVE-2022-32190

Failure to strip relative path components in net/url

EPSS 1.7%
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
Affected products
Go standard library · net/url

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://go.dev/cl/423514https://go.dev/issue/54385https://groups.google.com/g/golang-announce/c/x49AQzIVX-shttps://pkg.go.dev/vuln/GO-2022-0988