Fluid Attacks Database

Description

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 13	golang-1.24	>=0 <1.24.1-1	1.24.1-1
go	golang.org/x/net	>=0 <0.36.0	0.36.0
rpm rhel8	rhc	-	-
rpm rhel9	butane	-	-
rpm rhel10	skopeo	-	-
rpm rhel9	opentelemetry-collector	-	-
rpm rhel8	skopeo	-	-
rpm rhel10	osbuild-composer	-	-

1-10 of 57

Aliases

1. CVE-2025-228702. NVD-2025-228703. OSV-DEBIAN-2025-228704. OSV-2025-228705. OSV-GO-2025-35036. GCVE-2025-228707. SECURITY-TRACKER-CVE-2025-22870

References

1. https://github.com/JoshuaProvoste/CVE-2025-228702. https://go.dev/cl/6546973. https://go.dev/issue/719844. https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ5. https://pkg.go.dev/vuln/GO-2025-35036. https://security.netapp.com/advisory/ntap-20250509-00077. http://www.openwall.com/lists/oss-security/2025/03/07/2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.