oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Go CVE-2025-22870: proxy bypass using IPv6 zone IDs

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 7 Mar 2025 11:58:20 -0800
https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ
announces the release of Go versions 1.24.1 and 1.23.7, including a
security fix for:


net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs

Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable was
set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
match and not be proxied.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.


--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: