Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 951230 (CVE-2025-22870) - <dev-lang/go-{1.23.7,1.24.1} net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
Summary: <dev-lang/go-{1.23.7,1.24.1} net/http, x/net/proxy, x/net/http/httpproxy: pro...
Status: CONFIRMED
Alias: CVE-2025-22870
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa? cleanup]
Keywords:
Depends on: 951232
Blocks:
  Show dependency tree
 
Reported: 2025-03-12 23:13 UTC by William Hubbs
Modified: 2025-03-31 18:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description William Hubbs gentoo-dev 2025-03-12 23:13:22 UTC 
Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable was
set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
match and not be proxied.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.