cbcvebase.
CVE-2025-22870
published 2025-03-12

CVE-2025-22870: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is…

PriorityP415medium4.4CVSS 3.1
AVLACLPRLUINSUCLINAL
EPSS
0.38%
30.2th percentile
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.24 1.24.1-1 (forky)golang-1.24 1.24.1-1 (forky)
debiangolang-1.19< golang-1.24 1.24.1-1 (forky)golang-1.24 1.24.1-1 (forky)
debiangolang-1.24< golang-1.24 1.24.1-1 (forky)golang-1.24 1.24.1-1 (forky)
go_standard_librarynet_http< 1.23.71.23.7
go_standard_librarynet_http>= 1.24.0-0 < 1.24.11.24.1
golang.orgx_net>= 0 < 0.36.00.36.0
golang.orgx_net_golang.org_x_net_http_httpproxy< 0.36.00.36.0
golang.orgx_net_golang.org_x_net_proxy< 0.36.00.36.0
msrcazl3_azcopy_10.25.1-4
msrcazl3_gcc_13.2.0-7
msrcazl3_git-lfs_3.6.1-2
msrcazl3_golang_1.23.9-1
msrcazl3_golang_1.24.3-1
msrcazl3_influxdb_2.7.5-3
msrcazl3_influxdb_2.7.5-5
msrcazl3_keda_2.14.1-6
msrcazl3_keda_2.14.1-7
msrcazl3_packer_1.9.5-8
msrcazl3_packer_1.9.5-9
msrcazl3_prometheus-node-exporter_1.7.0-3
msrcazl3_prometheus-process-exporter_0.8.2-2
msrcazl3_prometheus_2.45.4-12
msrcazl3_python-tensorboard_2.16.2-6
msrcazl3_telegraf_1.31.0-10
msrcazl3_telegraf_1.31.0-6

CVSS provenance

nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
osv6.1MEDIUM
vendor_ubuntu6.1MEDIUM
vendor_debian4.4MEDIUM
vendor_msrc4.4MEDIUM
vendor_redhat4.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.