Control: tags 1118422 + fixed-upstream The fix has been merged upstream in PR #42: https://github.com/PuerkitoBio/purell/pull/42
The root cause was deeper than the original report suggested. Go 1.24.8 fixed CVE-2025-47912 by adding stricter IPv6 validation in parseHost, but the implementation was too broad — it also rejected IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) which are not related to the CVE. Go filed issue #75815 and fixed the regression in Go 1.24.10. The fix in PR #42 replaces the three IPv4-mapped test addresses with 2001:db8::1 (RFC 3849 documentation range), which works correctly across all Go versions including 1.24.8 and 1.24.9. Upstream issue #41 was automatically closed when the PR was merged. The package can now be updated to include this fix.
