CVE-2025-22870 | THREATINT

Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

PUBLISHED Reserved 2025-01-08 | Published 2025-03-12 | Updated 2025-05-09 | Assigner Go

Problem types

CWE-115 Misinterpretation of Input

Product status

Default status

unaffected

Any version before 0.36.0

affected

Default status

unaffected

Any version before 0.36.0

affected

Credits

Juho Forsén of Mattermost

References

www.openwall.com/lists/oss-security/2025/03/07/2

security.netapp.com/advisory/ntap-20250509-0007/

go.dev/cl/654697

go.dev/issue/71984

pkg.go.dev/vuln/GO-2025-3503

cve.org (CVE-2025-22870)

nvd.nist.gov (CVE-2025-22870)

Download JSON

help @ threatint.eu