CVE-2025-22870 — Misinterpretation of Input in X NET Golang.org X NET Proxy

CWE-115 — Misinterpretation of Input CWE-20 — Improper Input Validation9 documents8 sources

Severity

4.4MEDIUMNVD

EPSS

0.0%

top 91.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library NET Http Golang.org X NET Golang.org X NET Http Httpproxy Golang.org X NET Golang.org X NET Proxy +1 more

Timeline

PublishedMar 12

Latest updateJun 18

Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LExploitability: 1.8 | Impact: 2.5

Affected Packages4 packages

▶CVEListV5golang.org/x_net_golang.org_x_net_proxy< 0.36.0

▶CVEListV5golang.org/x_net_golang.org_x_net_http_httpproxy< 0.36.0

▶Gogolang.org/x_net< 0.36.0

▶CVEListV5go_standard_library/net_http1.24.0-0 — 1.24.1+1

🔴Vulnerability Details

CVEList

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net↗2025-03-12

▶

OSV

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net↗2025-03-12

▶

OSV

CVE-2025-22870: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component↗2025-03-12

▶

GHSA

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net↗2025-03-12

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2025-06-18

▶

Red Hat

golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net↗2025-03-12

▶

Microsoft

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net↗2025-03-11

▶

Debian

CVE-2025-22870: golang-1.15 - Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as...↗2025

▶