CVE-2025-22870

Summary

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Affected Software

VendorProductVersion RangeStatus
Go standard librarynet/http0 < 1.23.7affected
Go standard librarynet/http1.24.0-0 < 1.24.1affected
golang.org/x/netgolang.org/x/net/http/httpproxy0 < 0.36.0affected
golang.org/x/netgolang.org/x/net/proxy0 < 0.36.0affected

Weaknesses

  • CWE-115 Misinterpretation of Input

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References