Medium severity4.4NVD Advisory· Published Mar 12, 2025· Updated Apr 16, 2026
CVE-2025-22870
CVE-2025-22870
Description
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.36.0 | 0.36.0 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-qxp5-gwg8-xv66ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-22870ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/03/07/2nvdWEB
- go-review.googlesource.com/q/project:netghsaPACKAGE
- go.dev/cl/654697nvdWEB
- go.dev/issue/71984nvdWEB
- groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJnvdWEB
- pkg.go.dev/vuln/GO-2025-3503nvdWEB
- security.netapp.com/advisory/ntap-20250509-0007ghsaWEB
- security.netapp.com/advisory/ntap-20250509-0007/nvd
News mentions
0No linked articles in our index yet.