Vulnerability CVE-2025-22870 #92
Description
Description:
In Go net/http, x/net/proxy, x/net/http/httpproxy there is a proxy bypass vulnerability using IPv6 zone IDs. Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied. This affects versions before 1.23.7 and 1.24.x before 1.24.1.
Fix:
Upgrade to version go1.23.7
The reported vulnerability was not checked for vulnerability effectiveness and is suggested to be examined using Effective Usage Analysis.