{"id":"GO-2025-3503","summary":"HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net","details":"Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.","aliases":["CVE-2025-22870","GHSA-qxp5-gwg8-xv66"],"modified":"2026-04-16T22:45:11.580296Z","published":"2025-03-12T18:17:07Z","related":["CGA-cfr8-97rg-xjpc"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2025-3503"},"references":[{"type":"FIX","url":"https://go.dev/cl/654697"},{"type":"REPORT","url":"https://go.dev/issue/71984"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.23.7"},{"introduced":"1.24.0-0"},{"fixed":"1.24.1"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["ProxyFromEnvironment","envProxyFunc"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3503.json"}},{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.36.0"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http/httpproxy","symbols":["config.useProxy","domainMatch.match"]},{"path":"golang.org/x/net/proxy","symbols":["Dial","FromEnvironment","FromEnvironmentUsing","PerHost.AddFromString","PerHost.Dial","PerHost.DialContext","PerHost.dialerForRequest"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3503.json"}}],"schema_version":"1.7.5","credits":[{"name":"Juho Forsén of Mattermost"}]}