4.4 CVE-2025-22870

Enriched by CISA
 

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
https://nvd.nist.gov/vuln/detail/CVE-2025-22870

Categories

CWE-115 : Misinterpretation of Input
The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion. Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Product sees dangerous file extension in free text of a group discussion, disconnects all users. Product does not correctly import and process security settings from another product.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Go standard library net/http
  • < 1.23.7 [affected]
  • 1.24.0-0 < 1.24.1 [affected]
golang.org/x/net golang.org/x/net/http/httpproxy
  • < 0.36.0 [affected]
golang.org/x/net golang.org/x/net/proxy
  • < 0.36.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry