AI description
CVE-2025-22870 refers to a proxy bypass vulnerability found in Golang's `x/net/proxy` and `x/net/http/httpproxy` packages. This vulnerability allowed malicious actors to bypass configured proxies using IPv6 zone IDs. This issue affected various Golang versions prior to 1.24.1 and 1.23.7. The vulnerability has been addressed in subsequent releases, and users are encouraged to update their Golang installations to mitigate the risk.
- Description
- Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- Source
- security@golang.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 4.4
- Impact score
- 2.5
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-115
- Hype score
- Not currently trending
New post from https://t.co/uXvPWJy6tj (CVE-2025-22870 | Google Go up to 1.23.6/1.24.0 IPv6 Zone ID interpretation input (Nessus ID 232161)) has been published on https://t.co/neKgtxjUL4
@WolfgangSesin
19 Mar 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go 1.24.1と1.23.7がマイナーポイントリリースされています。IPv6ゾーンIDを使用したプロキシーバイパスのセキュリティ修正(CVE-2025-22870)が含まれています。https://t.co/qildoIPHyq
@golangjp
6 Mar 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🎉 Go 1.24.1 and 1.23.7 are released! 🔐 Security: Includes a security fix for net/http (CVE-2025-22870) 🗣 Announcement: https://t.co/rcSFLJtfGz 🗃 Download: https://t.co/NR3n564izi #golang https://t.co/ftVZicm3C7
@golang
4 Mar 2025
20127 Impressions
124 Retweets
471 Likes
19 Bookmarks
1 Reply
6 Quotes