{"api_version":"1","generated_at":"2026-04-17T05:47:17+00:00","cve":"CVE-2025-22870","urls":{"html":"https://cve.report/CVE-2025-22870","api":"https://cve.report/api/cve/CVE-2025-22870.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-22870","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-22870"},"summary":{"title":"HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net","description":"Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.","state":"PUBLISHED","assigner":"Go","published_at":"2025-03-12 19:15:38","updated_at":"2026-04-16 23:16:32"},"problem_types":["CWE-115","CWE-115 Misinterpretation of Input","CWE-115 CWE-115 Misinterpretation of Input"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"4.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"LOW","baseScore":4.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"4.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"LOW"}}],"references":[{"url":"https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ","name":"https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.netapp.com/advisory/ntap-20250509-0007/","name":"https://security.netapp.com/advisory/ntap-20250509-0007/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2025/03/07/2","name":"http://www.openwall.com/lists/oss-security/2025/03/07/2","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://go.dev/cl/654697","name":"https://go.dev/cl/654697","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://go.dev/issue/71984","name":"https://go.dev/issue/71984","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://pkg.go.dev/vuln/GO-2025-3503","name":"https://pkg.go.dev/vuln/GO-2025-3503","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-22870","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22870","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Go standard library","product":"net/http","version":"affected 1.23.7 semver","platforms":[]},{"source":"CNA","vendor":"Go standard library","product":"net/http","version":"affected 1.24.0-0 1.24.1 semver","platforms":[]},{"source":"CNA","vendor":"golang.org/x/net","product":"golang.org/x/net/http/httpproxy","version":"affected 0.36.0 semver","platforms":[]},{"source":"CNA","vendor":"golang.org/x/net","product":"golang.org/x/net/proxy","version":"affected 0.36.0 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Juho Forsén of Mattermost","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"22870","cve":"CVE-2025-22870","epss":"0.000310000","percentile":"0.086440000","score_date":"2026-04-16","updated_at":"2026-04-17 00:09:23"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-05-09T20:03:37.043Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2025/03/07/2"},{"url":"https://security.netapp.com/advisory/ntap-20250509-0007/"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"LOW","baseScore":4.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","version":"3.1"}},{"other":{"content":{"id":"CVE-2025-22870","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-03-18T16:31:16.493335Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-115","description":"CWE-115 Misinterpretation of Input","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-03-18T16:32:14.847Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://pkg.go.dev","defaultStatus":"unaffected","packageName":"net/http","product":"net/http","programRoutines":[{"name":"envProxyFunc"},{"name":"ProxyFromEnvironment"}],"vendor":"Go standard library","versions":[{"lessThan":"1.23.7","status":"affected","version":"0","versionType":"semver"},{"lessThan":"1.24.1","status":"affected","version":"1.24.0-0","versionType":"semver"}]},{"collectionURL":"https://pkg.go.dev","defaultStatus":"unaffected","packageName":"golang.org/x/net/http/httpproxy","product":"golang.org/x/net/http/httpproxy","programRoutines":[{"name":"config.useProxy"},{"name":"domainMatch.match"}],"vendor":"golang.org/x/net","versions":[{"lessThan":"0.36.0","status":"affected","version":"0","versionType":"semver"}]},{"collectionURL":"https://pkg.go.dev","defaultStatus":"unaffected","packageName":"golang.org/x/net/proxy","product":"golang.org/x/net/proxy","programRoutines":[{"name":"PerHost.dialerForRequest"},{"name":"PerHost.AddFromString"},{"name":"Dial"},{"name":"FromEnvironment"},{"name":"FromEnvironmentUsing"},{"name":"PerHost.Dial"},{"name":"PerHost.DialContext"}],"vendor":"golang.org/x/net","versions":[{"lessThan":"0.36.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","value":"Juho Forsén of Mattermost"}],"descriptions":[{"lang":"en","value":"Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied."}],"problemTypes":[{"descriptions":[{"description":"CWE-115 Misinterpretation of Input","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-04-16T22:39:33.619Z","orgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","shortName":"Go"},"references":[{"url":"https://go.dev/cl/654697"},{"url":"https://go.dev/issue/71984"},{"url":"https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ"},{"url":"https://pkg.go.dev/vuln/GO-2025-3503"}],"title":"HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"}},"cveMetadata":{"assignerOrgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","assignerShortName":"Go","cveId":"CVE-2025-22870","datePublished":"2025-03-12T18:27:59.376Z","dateReserved":"2025-01-08T19:11:42.834Z","dateUpdated":"2026-04-16T22:39:33.619Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-03-12 19:15:38","lastModifiedDate":"2026-04-16 23:16:32","problem_types":["CWE-115","CWE-115 Misinterpretation of Input","CWE-115 CWE-115 Misinterpretation of Input"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":2.5}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"22870","Ordinal":"1","Title":"HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net","CVE":"CVE-2025-22870","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"22870","Ordinal":"1","NoteData":"Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.","Type":"Description","Title":"HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"}]}}}