[oss-security] Go CVE-2025-22870: proxy bypass using IPv6 zone IDs

Alan Coopersmith Fri, 07 Mar 2025 13:16:48 -0800

https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ
announces the release of Go versions 1.24.1 and 1.23.7, including a
security fix for:

net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs

Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable was
set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
match and not be proxied.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.


--
        -Alan Coopersmith-                 alan.coopersm...@oracle.com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

[oss-security] Go CVE-2025-22870: proxy bypass using IPv6 zone IDs

Reply via email to