Go-Based Apps Vulnerable to Attacks Due to URL Parsing Issue


Go, or Golang, is an open source programming language designed for building reliable and efficient software at scale. Supported by Google, Go is leveraged by some of the world’s largest companies and it’s often used to develop cloud-native apps, including for Kubernetes.

Oxeye researchers have conducted an analysis of Go-based cloud-native applications and discovered an edge case that could have serious implications.

The issue, which they have dubbed ParseThru, is related to unsafe URL parsing. Until version 1.17, Go considered semicolons in the query part of a URL as a valid delimiter. Starting with this version, an error is returned if the URL query contains a semicolon.