Security Vulnerability Report
中文
CVE-2026-42503 CVSS 8.8 HIGH

CVE-2026-42503

Published: 2026-05-06 17:16:23
Last Modified: 2026-05-07 15:53:50
Source: [email protected]

Description

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

gopls (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import sys # PoC for CVE-2026-42503: gopls Remote Code Execution via 0.0.0.0 binding # This script attempts to connect to a vulnerable gopls instance. TARGET_IP = "192.168.1.X" # Replace with the target IP address TARGET_PORT = 8080 # Replace with the vulnerable port def check_vulnerability(): print(f"[*] Attempting to connect to {TARGET_IP}:{TARGET_PORT}...") try: # Establish a TCP connection to the target s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((TARGET_IP, TARGET_PORT)) print("[+] Connection successful! The port is open.") # In a real exploit scenario, an attacker would send a malicious LSP payload # to trigger code execution. Below is a placeholder for the payload structure. # Example payload structure (conceptual): # payload = '{"jsonrpc":"2.0","id":1,"method":"textDocument/executeCommand","params":{"command":"exploit"}}' # s.send(payload.encode()) print("[!] Vulnerability confirmed: gopls is accessible externally.") print("[!] Further exploitation requires crafting specific LSP commands.") s.close() except socket.timeout: print("[-] Connection timed out. Target may be unreachable or firewall is active.") except ConnectionRefusedError: print("[-] Connection refused. Port may be closed or not listening on 0.0.0.0.") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": check_vulnerability()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42503", "sourceIdentifier": "[email protected]", "published": "2026-05-06T17:16:23.417", "lastModified": "2026-05-07T15:53:49.717", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging.\nIf -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. \nAs a result, users might inadvertently cause gopls to bind 0.0.0.0.\nThis can allow a malicious party on the same network to execute code arbitrarily via gopls."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1327"}]}], "references": [{"url": "https://go.dev/cl/774381", "source": "[email protected]"}, {"url": "https://go.dev/issue/79211", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.