CVE-2025-22870 - Vulnerability Details

- HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Published: 2025-03-12

Score: 4.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Go standard library

net/http

unaffected

Version	Status	Constraints
`0`	affected	< 1.23.7
`1.24.0-0`	affected	< 1.24.1

golang.org/x/net

golang.org/x/net/http/httpproxy

unaffected

Version	Status	Constraints
`0`	affected	< 0.36.0

golang.org/x/net

golang.org/x/net/proxy

unaffected

Version	Status	Constraints
`0`	affected	< 0.36.0

No data.

Package	CPE	Advisory	Released Date
RHODF-4.18-RHEL-9
odf4/cephcsi-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/cephcsi-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/cephcsi-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/mcg-core-rhel9:v4.18.3-3	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/mcg-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/mcg-rhel9-operator:v4.18.3-3	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/ocs-client-console-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/ocs-client-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/ocs-client-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/ocs-metrics-exporter-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/ocs-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/ocs-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-cli-rhel9:v4.18.3-3	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-console-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-cosi-sidecar-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-csi-addons-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-csi-addons-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-csi-addons-sidecar-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-dependencies-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-multicluster-console-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-multicluster-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-multicluster-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-must-gather-rhel9:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-prometheus-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odf-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odr-cluster-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odr-hub-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odr-recipe-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/odr-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/rook-ceph-operator-bundle:v4.18.3-4	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z
odf4/rook-ceph-rhel9-operator:v4.18.3-2	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:7616	2025-05-14T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-6690	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Github GHSA	GHSA-qxp5-gwg8-xv66	HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Ubuntu USN	USN-7574-1	Go vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/03/07/2
https://go.dev/cl/654697
https://go.dev/issue/71984
https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ
https://nvd.nist.gov/vuln/detail/CVE-2025-22870
https://pkg.go.dev/vuln/GO-2025-3503
https://security.netapp.com/advisory/ntap-20250509-0007/
https://www.cve.org/CVERecord?id=CVE-2025-22870

History

Thu, 16 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
References		https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00012}`	epss `{'score': 0.00014}`

Thu, 15 May 2025 06:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat openshift Data Foundation
CPEs		cpe:/a:redhat:openshift_data_foundation:4.18::el9
Vendors & Products		Redhat Redhat openshift Data Foundation

Fri, 09 May 2025 20:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250509-0007/

Tue, 18 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-115
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 14 Mar 2025 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20
References		https://nvd.nist.gov/vuln/detail/CVE-2025-22870 https://www.cve.org/CVERecord?id=CVE-2025-22870
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L'}` threat_severity `Moderate`

Wed, 12 Mar 2025 19:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/07/2

Wed, 12 Mar 2025 18:45:00 +0000

Type	Values Removed	Values Added
Description		Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Title		HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
References		https://go.dev/cl/654697 https://go.dev/issue/71984 https://pkg.go.dev/vuln/GO-2025-3503

Subscriptions

Redhat Openshift Data Foundation

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2025-03-12T18:27:59.376Z

Updated: 2026-04-16T22:39:33.619Z

Reserved: 2025-01-08T19:11:42.834Z

Link: CVE-2025-22870

Vulnrichment

Updated: 2025-05-09T20:03:37.043Z

NVD

Status : Deferred

Published: 2025-03-12T19:15:38.310

Modified: 2026-04-16T23:16:32.860

Link: CVE-2025-22870

Redhat

Severity : Moderate

Publid Date: 2025-03-12T18:27:59Z

Links: CVE-2025-22870 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object