AI description
CVE-2025-22870 refers to a proxy bypass vulnerability found in Golang's `x/net/proxy` and `x/net/http/httpproxy` packages. This vulnerability allowed malicious actors to bypass configured proxies using IPv6 zone IDs. This issue affected various Golang versions prior to 1.24.1 and 1.23.7. The vulnerability has been addressed in subsequent releases, and users are encouraged to update their Golang installations to mitigate the risk.
- Description
- Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- Source
- security@golang.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 4.4
- Impact score
- 2.5
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-115
- Hype score
- Not currently trending
🔥URGENT #Fedora42 Update!🔥 reposurgeon 5.3 lands w/ CRITICAL patch for CVE-2025-22870 (IPv6 proxy bypass DoS). Fixes FTBFS too. ⚠️ Impacts: DevOps doing VCS surgery/migration (Git, Hg, SVN). Read more: https://t.co/Ccc7tDHplG https://t.co/pGwh5JWCxX
@Cezar_H_Linux
3 Aug 2025
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-22870 Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. Github link: https://t.co/cJeOscu6oE
@PoC_in_Github
19 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerability: CVE-2025-22870 affecting webpagereplay https://t.co/xgIRQxhuaW
@BugsAggregator
5 Jul 2025
233 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SSRF PoC – CVE-2025-22870 – HTTP Proxy Bypass via IPv6 Zone ID in Go https://t.co/HRwXKR0svB
@JoshuaProvoste
8 Jun 2025
468 Impressions
0 Retweets
11 Likes
4 Bookmarks
0 Replies
0 Quotes
⚠ CVE-2025-22870 & CVE-2025-22871: Golang vulnerabilities in Mageia Linux allow HTTP request smuggling & IPv6 proxy bypass. 🔐 Patch now (golang-1.23.8-1.mga9) or risk exploitation. Details: https://t.co/0btEeFH2vH #Golang #ZeroD
@Cezar_H_Linux
3 Jun 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2025-22870 | Google Go up to 1.23.6/1.24.0 IPv6 Zone ID interpretation input (Nessus ID 232161)) has been published on https://t.co/neKgtxjUL4
@WolfgangSesin
19 Mar 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go 1.24.1と1.23.7がマイナーポイントリリースされています。IPv6ゾーンIDを使用したプロキシーバイパスのセキュリティ修正(CVE-2025-22870)が含まれています。https://t.co/qildoIPHyq
@golangjp
6 Mar 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🎉 Go 1.24.1 and 1.23.7 are released! 🔐 Security: Includes a security fix for net/http (CVE-2025-22870) 🗣 Announcement: https://t.co/rcSFLJtfGz 🗃 Download: https://t.co/NR3n564izi #golang https://t.co/ftVZicm3C7
@golang
4 Mar 2025
20127 Impressions
124 Retweets
471 Likes
19 Bookmarks
1 Reply
6 Quotes