Bug 2351766 (CVE-2025-22870) - CVE-2025-22870 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Summary: CVE-2025-22870 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP ...
Keywords:
Status: NEW
Alias: CVE-2025-22870
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2351865 2351867 2351869 2351870 2351871 2351872 2351873 2351874 2351875 2351876 2351877 2351878 2351879 2351880 2351882 2351883 2351885 2351886 2351887 2351888 2351889 2351890 2351891 2351892 2351893 2351894 2351895 2351896 2351897 2351898 2351899 2351900 2351901 2351902 2351903 2351906 2351907 2351908 2351909 2351910 2351912 2351913 2352131 2352132 2352133 2352134 2352135 2352137 2352138 2352140 2352141 2352142 2352143 2352144 2352146 2352148 2352151 2352152 2352153 2352155 2352156 2352157 2352159 2352160 2352161 2352162 2352163 2352164 2352166 2352167 2352168 2352169 2352170 2352171 2352172 2352173 2352174 2352175 2352176 2352177 2352178 2352179 2352180 2352181 2352182 2352183 2352184 2352185 2352186 2352187 2352188 2352189 2352190 2352191 2352193 2352194 2352195 2352196 2352197 2352198 2352199 2352200 2352201 2352202 2352203 2352204 2352205 2352206 2352207 2352208 2352209 2352210 2352211 2352212 2352213 2352214 2352216 2352217 2352218 2352219 2352220 2352221 2352223 2352224 2352225 2352226 2352227 2352228 2352229 2352230 2352231 2352232 2352233 2352234 2352236 2352237 2352238 2352239 2352240 2352241 2352242 2352243 2352244 2352245 2352246 2352247 2352248 2352249 2352250 2352251 2352252 2352253 2352254 2352255 2352257 2352258 2352259 2352260 2352261 2352262 2352263 2352264 2352265 2352266 2352267 2352268 2352269 2352270 2352271 2352272 2352273 2352274 2352275 2352276 2352277 2352278 2352279 2352280 2352281 2352282 2352283 2352284 2352285 2352286 2352287 2352288 2352291 2352292 2352293 2352294 2352295 2352296 2352298 2352300 2352301 2352302 2352306 2352307 2352308 2352310 2352311 2352312 2352313 2352315 2352316 2352317 2352318 2352320 2352321 2352322 2352323 2352327 2352328 2352329 2352330 2352331 2352332 2352333 2352334 2352335 2352336 2352337 2352338 2352340 2352341 2352343 2352344 2352345 2352347 2352348 2352349 2352350 2352351 2352353 2351866 2351881 2351884 2351904 2351905 2351911 2351914 2351915 2351916 2351917 2351918 2351919 2351920 2351921 2351922 2351923 2351924 2351925 2351926 2351927 2351928 2351929 2351930 2351931 2351932 2351933 2351934 2351935 2351936 2351937 2351938 2351939 2351940 2351941 2351942 2351943 2351944 2351945 2351946 2351947 2351948 2351949 2351950 2351951 2351952 2351953 2351954 2351955 2351956 2351957 2351958 2351959 2351960 2351961 2351962 2351963 2351964 2351965 2351966 2351967 2351968 2351969 2351970 2351971 2351972 2351973 2351974 2351975 2351976 2351977 2351978 2351979 2351980 2351981 2351982 2351983 2351984 2351985 2351986 2351987 2351988 2351989 2351990 2351991 2351992 2351993 2351994 2351995 2351996 2351997 2351998 2351999 2352000 2352001 2352002 2352003 2352004 2352005 2352006 2352007 2352008 2352009 2352010 2352011 2352012 2352013 2352014 2352015 2352016 2352017 2352018 2352019 2352020 2352021 2352022 2352023 2352024 2352025 2352026 2352027 2352028 2352029 2352030 2352031 2352032 2352033 2352034 2352035 2352036 2352037 2352038 2352039 2352040 2352041 2352042 2352043 2352044 2352045 2352046 2352047 2352048 2352049 2352050 2352051 2352052 2352053 2352054 2352055 2352056 2352057 2352058 2352059 2352060 2352061 2352062 2352063 2352064 2352065 2352066 2352067 2352068 2352069 2352070 2352071 2352072 2352073 2352074 2352075 2352076 2352077 2352078 2352079 2352080 2352081 2352082 2352083 2352084 2352085 2352086 2352087 2352088 2352089 2352090 2352091 2352092 2352093 2352094 2352095 2352096 2352097 2352098 2352099 2352100 2352101 2352102 2352103 2352104 2352105 2352106 2352107 2352108 2352109 2352110 2352111 2352112 2352113 2352114 2352115 2352116 2352117 2352118 2352119 2352120 2352121 2352122 2352123 2352124 2352125 2352126 2352127 2352128 2352129 2352130 2352136 2352139 2352145 2352147 2352149 2352150 2352154 2352158 2352165 2352192 2352215 2352235 2352256 2352289 2352290 2352297 2352299 2352303 2352304 2352305 2352309 2352314 2352319 2352324 2352325 2352326 2352339 2352342 2352346 2352352
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-03-12 21:41 UTC by OSIDB Bzimport
Modified: 2025-05-15 08:28 UTC (History)
117 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:7616 0 None None None 2025-05-14 14:49:42 UTC

Description OSIDB Bzimport 2025-03-12 21:41:31 UTC 
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Comment 5 errata-xmlrpc 2025-05-14 14:49:34 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:7616 https://access.redhat.com/errata/RHSA-2025:7616
Note You need to log in before you can comment on or make changes to this bug.