The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0211" }