x/vulndb: potential Go vuln in golang.org/x/net: GHSA-qxp5-gwg8-xv66

[GoVulnBot]

Advisory GHSA-qxp5-gwg8-xv66 references a vulnerability in the following Go modules:

Module
golang.org/x/net

Description:
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

References:

• ADVISORY: GHSA-qxp5-gwg8-xv66
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-22870
• FIX: https://go.dev/cl/654697
• REPORT: https://go.dev/issue/71984
• WEB: http://www.openwall.com/lists/oss-security/2025/03/07/2

Cross references:

• golang.org/x/net appears in 17 other report(s):
  • data/reports/GO-2020-0014.yaml (dummy issue #14)
  • data/reports/GO-2021-0078.yaml (dummy issue #78)
  • data/reports/GO-2021-0238.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2021-33194 #238)
  • data/reports/GO-2022-0192.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2018-17142 #192)
  • data/reports/GO-2022-0193.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2018-17143 #193)
  • data/reports/GO-2022-0197.yaml (x/vulndb: potential Go vuln in "Go Standard Library (package not identified)": CVE-2018-17847 #197)
  • data/reports/GO-2022-0236.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2021-31525 #236)
  • data/reports/GO-2022-0288.yaml (x/vulndb: potential Go vuln in std: CVE-2021-44716 #288)
  • data/reports/GO-2022-0536.yaml (x/vulndb: potential Go vuln in std: CVE-2019-9512, CVE-2019-9514 #536)
  • data/reports/GO-2022-0969.yaml (x/vulndb: potential Go vuln in std: CVE-2022-27664 #969)
  • data/reports/GO-2022-1144.yaml (x/vulndb: potential Go vuln in std: CVE-2022-41717 #1144)
  • data/reports/GO-2023-1495.yaml (x/vulndb: potential Go vuln in golang.org/x/net/http2/h2c: CVE-2022-41721 #1495)
  • data/reports/GO-2023-1571.yaml (x/vulndb: potential Go vuln in net/http: CVE-2022-41723 #1571)
  • data/reports/GO-2023-1988.yaml (x/vulndb: potential Go vuln in golang.org/x/net/html: CVE-2023-3978 #1988)
  • data/reports/GO-2023-2102.yaml (x/vulndb: potential Go vuln in net/http: CVE-2023-39325 #2102)
  • data/reports/GO-2024-2687.yaml (x/vulndb: potential Go vuln in net/http: CVE-2023-45288 #2687)
  • data/reports/GO-2024-3333.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2024-45338 #3333)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: golang.org/x/net
      versions:
        - fixed: 0.36.0
      vulnerable_at: 0.35.0
summary: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
cves:
    - CVE-2025-22870
ghsas:
    - GHSA-qxp5-gwg8-xv66
references:
    - advisory: https://github.com/advisories/GHSA-qxp5-gwg8-xv66
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-22870
    - fix: https://go.dev/cl/654697
    - report: https://go.dev/issue/71984
    - web: http://www.openwall.com/lists/oss-security/2025/03/07/2
source:
    id: GHSA-qxp5-gwg8-xv66
    created: 2025-03-12T23:01:20.951550156Z
review_status: UNREVIEWED

[thatnealpatel]

Duplicate of #3503