Skip to main content

gopls CVE-2026-42503

| EUVDEUVD-2026-27872 HIGH
Binding to an Unrestricted IP Address (CWE-1327)
2026-05-06 Go GHSA-9344-f92h-vr44
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 06, 2026 - 18:02 EUVD
Analysis Generated
May 06, 2026 - 17:32 vuln.today
CVSS changed
May 06, 2026 - 17:22 NVD
8.8 (HIGH)

DescriptionCVE.org

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.

AnalysisAI

Adjacent network code execution in gopls language server occurs when developers use debugging flags -listen or -port without explicit host specification. The Go language server (gopls) binds to all network interfaces (0.0.0.0) instead of localhost when these debugging flags are used, enabling unauthenticated remote code execution from adjacent network attackers. No public exploit identified at time of analysis, though the attack vector is straightforward for developers who enable network debugging in shared network environments like coffee shops or corporate LANs. EPSS data not available for this recent CVE.

Technical ContextAI

gopls is the official Go language server providing IDE features like code completion and diagnostics. It typically uses inter-process communication via named pipes for local-only communication between the editor and language server process. The -listen and -port flags are debugging features allowing network-based communication with the language server. CWE-1327 (Binding to an Unrestricted IP Address) occurs when the code fails to validate that network binding uses localhost (127.0.0.1) versus all interfaces (0.0.0.0). When users specify values like ':8080' (missing host component) or use -port without additional host specification, Go's default network binding behavior accepts connections from any network interface. The golang.org/x/tools/gopls package is affected across all versions until patched, as indicated by the CPE string with wildcard version.

RemediationAI

Update gopls to the version containing the fix from Go change list 774381 (exact version number to be confirmed from https://go.dev/cl/774381 when release is tagged). Until patched version is deployed, developers using gopls debugging flags must explicitly specify localhost binding: use '-listen=127.0.0.1:8080' or '-listen=localhost:8080' instead of ':8080' to prevent binding to all network interfaces. Workaround trade-off: explicit localhost binding eliminates network exposure but requires modifying existing debugging workflows and launch configurations. Network-layer mitigation: configure host-based firewalls to block inbound connections to gopls debugging ports (typically high-numbered ports) from non-localhost sources, though this requires identifying which ports developers are using and does not prevent attacks from other processes on the same machine. Organizations should audit developer documentation and IDE configuration templates to replace any examples showing unsafe flag usage patterns. For developers who must use network-accessible gopls instances (remote debugging scenarios), implement authentication proxy or SSH tunneling rather than direct network exposure.

Share

CVE-2026-42503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy