Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Go-Based Apps Vulnerable to Attacks Due to URL Parsing Issue

Israeli cloud-native application security testing firm Oxeye discovered that the way URL parsing is implemented in some Go-based applications creates vulnerabilities that could allow threat actors to conduct unauthorized actions.

Israeli cloud-native application security testing firm Oxeye discovered that the way URL parsing is implemented in some Go-based applications creates vulnerabilities that could allow threat actors to conduct unauthorized actions.

Go, or Golang, is an open source programming language designed for building reliable and efficient software at scale. Supported by Google, Go is leveraged by some of the world’s largest companies and it’s often used to develop cloud-native apps, including for Kubernetes.

Oxeye researchers have conducted an analysis of Go-based cloud-native applications and discovered an edge case that could have serious implications.

The issue, which they have dubbed ParseThru, is related to unsafe URL parsing. Until version 1.17, Go considered semicolons in the query part of a URL as a valid delimiter. Starting with this version, an error is returned if the URL query contains a semicolon.

Oxeye researchers discovered that if a user-facing application is running on Go 1.17 or later and the associated backend service is running on an earlier version of Go, an attacker can smuggle requests with query parameters that would normally be rejected.

The cybersecurity firm has described the following theoretical attack scenario:

ParseThru URL parsing attack affecting Go applications

The researchers identified several open source projects affected by this behavior. The list includes the Skipper HTTP router and reverse proxy for service composition, the Traefik HTTP reverse proxy and load balancer, and Harbor, a CNCF project designed for securing artifacts and ensuring that container images are free of vulnerabilities and trusted.

Daniel Abeles, one of the Oxeye researchers who discovered the vulnerability, told SecurityWeek that in the case of Harbor, a threat actor could read private, restricted Docker images they would otherwise not be able to access.

Oxeye has reported its findings to impacted applications and their developers have released patches.

Application developers are advised to consider using alternative methods for parsing query strings or ensure that queries containing a semicolon are rejected in order to prevent abuse.

Related: ‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability

Related: New Database Catalogs Cloud Vulnerabilities, Security Issues

Related: Vulnerability in Amazon Photos Android App Exposed User Information

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.