- Partners
- Docs
- Compare Open Source VS Enterprise
- Contact Sales
- Downloads
I've chosen KrakenD because of its simplicity, statelessness, immutability, and performance.
Fabijan Bajo
Tech Lead Cloud Infrastructure / IBM
I've chosen KrakenD because of its simplicity, statelessness, immutability, and performance.
Fabijan Bajo
Tech Lead Cloud Infrastructure / IBM
CVE-2026-25679
Medium
· CVSS 5.3
Medium ImpactThis CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.
net/url to parse and validate backend URLs. A crafted IPv6 hostname in
a proxied request could bypass host validation, potentially reaching unintended network
targets. Any deployment that accepts dynamic upstream URL components from external
sources is most exposed.Component
Go standard library (net/url)
Disclosed
Mar 9, 2026
CVSS Score
5.3
net/url package incorrectly accepts IPv6 literal addresses that do not appear
at the start of the host portion of a URL, violating RFC 3986. This validation gap
could allow a specially crafted URL to reach unintended network targets or circumvent
host-based access controls in applications that rely on net/url for URL parsing and
validation.Community Edition
2.13.2
addresses this CVE
Affected CE versions
>= 2.0, < 2.13.2
Enterprise Edition
2.13.0
addresses this CVE
Affected EE versions
>= 2.0, < 2.13.0
Upgrade to the addressed version or later to remediate this vulnerability.
Stay up to date with KrakenD releases and important updates