CVE-2025-22870
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVSS Score
4.4
EPSS Score
0.0%
EPSS Percentile
9th
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
| Vendor | go standard library |
| Product | net/http |
| Published | Mar 12, 2025 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for go standard library net/http
Be the first to know when new medium vulnerabilities affecting go standard library net/http are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
Go standard library / net/http
0 < 1.23.7 1.24.0-0 < 1.24.1
golang.org/x/net / golang.org/x/net/http/httpproxy
0 < 0.36.0
golang.org/x/net / golang.org/x/net/proxy
0 < 0.36.0
References
go.dev: https://go.dev/cl/654697 go.dev: https://go.dev/issue/71984 groups.google.com: https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ pkg.go.dev: https://pkg.go.dev/vuln/GO-2025-3503 openwall.com: http://www.openwall.com/lists/oss-security/2025/03/07/2 security.netapp.com: https://security.netapp.com/advisory/ntap-20250509-0007/
Credits
Juho ForsΓ©n of Mattermost