Skip to content

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Moderate severity GitHub Reviewed Published Mar 12, 2025 to the GitHub Advisory Database • Updated Mar 12, 2025

Package

gomod golang.org/x/net (Go)

Affected versions

< 0.36.0

Patched versions

0.36.0

Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

References

Published by the National Vulnerability Database Mar 12, 2025
Published to the GitHub Advisory Database Mar 12, 2025
Reviewed Mar 12, 2025
Last updated Mar 12, 2025

Severity

Moderate

EPSS score

Weaknesses

CVE ID

CVE-2025-22870

GHSA ID

GHSA-qxp5-gwg8-xv66

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.