Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.
AnalysisAI
Adjacent network code execution in gopls language server occurs when developers use debugging flags -listen or -port without explicit host specification. The Go language server (gopls) binds to all network interfaces (0.0.0.0) instead of localhost when these debugging flags are used, enabling unauthenticated remote code execution from adjacent network attackers. No public exploit identified at time of analysis, though the attack vector is straightforward for developers who enable network debugging in shared network environments like coffee shops or corporate LANs. EPSS data not available for this recent CVE.
Technical ContextAI
gopls is the official Go language server providing IDE features like code completion and diagnostics. It typically uses inter-process communication via named pipes for local-only communication between the editor and language server process. The -listen and -port flags are debugging features allowing network-based communication with the language server. CWE-1327 (Binding to an Unrestricted IP Address) occurs when the code fails to validate that network binding uses localhost (127.0.0.1) versus all interfaces (0.0.0.0). When users specify values like ':8080' (missing host component) or use -port without additional host specification, Go's default network binding behavior accepts connections from any network interface. The golang.org/x/tools/gopls package is affected across all versions until patched, as indicated by the CPE string with wildcard version.
RemediationAI
Update gopls to the version containing the fix from Go change list 774381 (exact version number to be confirmed from https://go.dev/cl/774381 when release is tagged). Until patched version is deployed, developers using gopls debugging flags must explicitly specify localhost binding: use '-listen=127.0.0.1:8080' or '-listen=localhost:8080' instead of ':8080' to prevent binding to all network interfaces. Workaround trade-off: explicit localhost binding eliminates network exposure but requires modifying existing debugging workflows and launch configurations. Network-layer mitigation: configure host-based firewalls to block inbound connections to gopls debugging ports (typically high-numbered ports) from non-localhost sources, though this requires identifying which ports developers are using and does not prevent attacks from other processes on the same machine. Organizations should audit developer documentation and IDE configuration templates to replace any examples showing unsafe flag usage patterns. For developers who must use network-accessible gopls instances (remote debugging scenarios), implement authentication proxy or SSH tunneling rather than direct network exposure.
Same weakness CWE-1327 – Binding to an Unrestricted IP Address
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27872
GHSA-9344-f92h-vr44