All vulnerabilities
CVE-2025-22870
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Description
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Patch Available
Fix available through Seal Security.
No upgrade required, protect your application instantly.
Fix without upgrading
Score
4.4
Severity
Medium
Ecosystem
GO
Publish Date
March 12, 2025
Modified Date
April 16, 2026
Score Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Affected Versions
