CVE-2025-22870
published 2025-03-12CVE-2025-22870: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is…
PriorityP415medium4.4CVSS 3.1
AVLACLPRLUINSUCLINAL
EPSS
0.38%
30.2th percentile
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.1-1 (forky) | golang-1.24 1.24.1-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.1-1 (forky) | golang-1.24 1.24.1-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.1-1 (forky) | golang-1.24 1.24.1-1 (forky) |
| go_standard_library | net_http | < 1.23.7 | 1.23.7 |
| go_standard_library | net_http | >= 1.24.0-0 < 1.24.1 | 1.24.1 |
| golang.org | x_net | >= 0 < 0.36.0 | 0.36.0 |
| golang.org | x_net_golang.org_x_net_http_httpproxy | < 0.36.0 | 0.36.0 |
| golang.org | x_net_golang.org_x_net_proxy | < 0.36.0 | 0.36.0 |
| msrc | azl3_azcopy_10.25.1-4 | — | — |
| msrc | azl3_gcc_13.2.0-7 | — | — |
| msrc | azl3_git-lfs_3.6.1-2 | — | — |
| msrc | azl3_golang_1.23.9-1 | — | — |
| msrc | azl3_golang_1.24.3-1 | — | — |
| msrc | azl3_influxdb_2.7.5-3 | — | — |
| msrc | azl3_influxdb_2.7.5-5 | — | — |
| msrc | azl3_keda_2.14.1-6 | — | — |
| msrc | azl3_keda_2.14.1-7 | — | — |
| msrc | azl3_packer_1.9.5-8 | — | — |
| msrc | azl3_packer_1.9.5-9 | — | — |
| msrc | azl3_prometheus-node-exporter_1.7.0-3 | — | — |
| msrc | azl3_prometheus-process-exporter_0.8.2-2 | — | — |
| msrc | azl3_prometheus_2.45.4-12 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6 | — | — |
| msrc | azl3_telegraf_1.31.0-10 | — | — |
| msrc | azl3_telegraf_1.31.0-6 | — | — |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
osv6.1MEDIUM
vendor_ubuntu6.1MEDIUM
vendor_debian4.4MEDIUM
vendor_msrc4.4MEDIUM
vendor_redhat4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2025-06-18·CVSS 6.1
CVE-2024-45341 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy modul
Red Hat
golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
vendor_redhat·2025-03-12·CVSS 4.4
CVE-2025-22870 [MEDIUM] CWE-20 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
A flaw was found in proxy host matching. This vulnerability allows improper bypassing of proxy settings via manipulating an IPv6 zone ID, causing unintended matches against the NO_PROXY environment variable.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespr
Microsoft
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
vendor_msrc·2025-03-11·CVSS 4.4
CVE-2025-22870 [MEDIUM] CWE-115 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.mic
Debian
CVE-2025-22870: golang-1.15 - Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as...
vendor_debian·2025·CVSS 4.4
CVE-2025-22870 [MEDIUM] CVE-2025-22870: golang-1.15 - Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as...
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Scope: local
bullseye: open
OSV
golang-1.22 vulnerabilities
osv·2025-06-18·CVSS 6.1
CVE-2024-45336 [MEDIUM] golang-1.22 vulnerabilities
golang-1.22 vulnerabilities
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy module did not properly
handle IPv6 zone IDs during hos
OSV
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
osv·2025-03-12
CVE-2025-22870 [MEDIUM] HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
OSV
CVE-2025-22870: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component
osv·2025-03-12·CVSS 4.4
CVE-2025-22870 [MEDIUM] CVE-2025-22870: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
GHSA
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
ghsa·2025-03-12
CVE-2025-22870 [MEDIUM] CWE-115 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-22870 fluent-bit: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [epel-9]
bugzilla·2025-03-13·CVSS 4.4
CVE-2025-22870 [MEDIUM] CVE-2025-22870 fluent-bit: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [epel-9]
CVE-2025-22870 fluent-bit: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [epel-9]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2351766
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2025-22870 ceph: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [fedora-41]
bugzilla·2025-03-13·CVSS 4.4
CVE-2025-22870 [MEDIUM] CVE-2025-22870 ceph: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [fedora-41]
CVE-2025-22870 ceph: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [fedora-41]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2351766
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 41 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 41 on 2025-12-15.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '41'
Bugzilla
CVE-2025-22870 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
bugzilla·2025-03-12·CVSS 4.4
CVE-2025-22870 [MEDIUM] CVE-2025-22870 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22870 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Discussion:
This issue has been addressed in the following products:
RHODF-4.18-RHEL-9
Via RHSA-2025:7616 https://access.redhat.com/errata/RHSA-2025:7616
2025-03-12
Published