Skip to content

net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs #71984

New issue
New issue
Closed
Closed
net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs#71984
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Securityvulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
 
Go1.25
@neild

Description

@neild
neild
opened on Feb 26, 2025 · edited by JunyangShao

Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2025-22870

/cc @golang/security and @golang/release

Activity

neild

neild commented on Feb 26, 2025

@neild
neild
on Feb 26, 2025
ContributorAuthor

@gopherbot please open backport issues for this security fix

gopherbot

gopherbot commented on Feb 26, 2025

@gopherbot
gopherbot
on Feb 26, 2025
Contributor

Backport issue(s) opened: #71985 (for 1.23), #71986 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

gopherbot
mentioned this in 2 issues on Feb 26, 2025
gabyhelp
added
vulncheck or vulndbIssues for the x/vuln or x/vulndb repo
on Feb 26, 2025
dmitshur
added
Security
NeedsFixThe path to resolution is known, but the work has not been done.
on Feb 27, 2025
dmitshur
added this to the Go1.25 milestone on Feb 27, 2025
JunyangShao
changed the title [-]security: fix CVE-2025-22870[/-] [+]net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs[/+] on Mar 4, 2025
gopherbot

gopherbot commented on Mar 4, 2025

@gopherbot
gopherbot
on Mar 4, 2025
Contributor

Change https://go.dev/cl/654717 mentions this issue: all: update golang.org/x/net

gopherbot

gopherbot commented on Mar 4, 2025

@gopherbot
gopherbot
on Mar 4, 2025
Contributor

Change https://go.dev/cl/654795 mentions this issue: [release-branch.go1.24] all: updates vendored x/net

gopherbot

gopherbot commented on Mar 4, 2025

@gopherbot
gopherbot
on Mar 4, 2025
Contributor

Change https://go.dev/cl/654796 mentions this issue: [release-branch.go1.23] all: updates vendored x/net

gopherbot
added 3 commits that reference this issue on Mar 4, 2025

[release-branch.go1.24] all: updates vendored x/net

e4119e9

[release-branch.go1.23] all: updates vendored x/net

45aade7

all: update golang.org/x/net

3705a6f

21 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Securityvulncheck or vulndbIssues for the x/vuln or x/vulndb repo

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @neild@dmitshur@gopherbot@gabyhelp

        Issue actions
          net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs · Issue #71984 · golang/go