New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
MEDIUM 4.4 Go

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

GHSA-qxp5-gwg8-xv66 · CVE-2025-22870 · GO-2025-3503

Published · Modified

Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Ready to move

Start Securing

Free, no credit card | First findings in minutes