CVE-2025-22870: CWE-115 Misinterpretation of Input in Go standard library net/http
CVE-2025-22870 is a medium-severity vulnerability in the Go standard library net/http package where host matching against proxy patterns can misinterpret an IPv6 zone ID as part of a hostname. This causes requests with certain IPv6 addresses to incorrectly match NO_PROXY environment variable patterns, potentially bypassing proxy settings. The vulnerability affects Go versions up to 1. 24. 0-0. There is no confirmed patch or official fix available at this time. The CVSS score is 4. 4, indicating limited confidentiality impact and low availability impact. No known exploits are reported in the wild.
AI Analysis
Technical Summary
This vulnerability (CVE-2025-22870) in the Go standard library net/http package involves improper handling of IPv6 zone IDs when matching hosts against proxy exclusion patterns defined in the NO_PROXY environment variable. Specifically, an IPv6 address with a zone ID, such as "[::1%25.example.com]:80", can be misinterpreted so that the zone ID is treated as a hostname component. This leads to incorrect matching against patterns like "*.example.com", causing the request to bypass the proxy when it should not. The issue is classified under CWE-115 (Misinterpretation of Input). It affects Go versions from 0 up to 1.24.0-0. The CVSS v3.1 base score is 4.4, with attack vector local, low attack complexity, low privileges required, no user interaction, unchanged scope, limited confidentiality impact, no integrity impact, and low availability impact. No patch or remediation details are currently provided.
Potential Impact
The vulnerability can cause requests to bypass proxy configurations unintentionally, potentially exposing internal network traffic or circumventing intended network controls. The confidentiality impact is limited, and there is no impact on integrity. Availability impact is low. No known exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should be cautious when relying on NO_PROXY patterns involving IPv6 zone IDs. Review proxy configuration and consider avoiding patterns that could be affected by this issue. Monitor vendor communications for updates and patches.
CVE-2025-22870: CWE-115 Misinterpretation of Input in Go standard library net/http
Description
CVE-2025-22870 is a medium-severity vulnerability in the Go standard library net/http package where host matching against proxy patterns can misinterpret an IPv6 zone ID as part of a hostname. This causes requests with certain IPv6 addresses to incorrectly match NO_PROXY environment variable patterns, potentially bypassing proxy settings. The vulnerability affects Go versions up to 1. 24. 0-0. There is no confirmed patch or official fix available at this time. The CVSS score is 4. 4, indicating limited confidentiality impact and low availability impact. No known exploits are reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2025-22870) in the Go standard library net/http package involves improper handling of IPv6 zone IDs when matching hosts against proxy exclusion patterns defined in the NO_PROXY environment variable. Specifically, an IPv6 address with a zone ID, such as "[::1%25.example.com]:80", can be misinterpreted so that the zone ID is treated as a hostname component. This leads to incorrect matching against patterns like "*.example.com", causing the request to bypass the proxy when it should not. The issue is classified under CWE-115 (Misinterpretation of Input). It affects Go versions from 0 up to 1.24.0-0. The CVSS v3.1 base score is 4.4, with attack vector local, low attack complexity, low privileges required, no user interaction, unchanged scope, limited confidentiality impact, no integrity impact, and low availability impact. No patch or remediation details are currently provided.
Potential Impact
The vulnerability can cause requests to bypass proxy configurations unintentionally, potentially exposing internal network traffic or circumventing intended network controls. The confidentiality impact is limited, and there is no impact on integrity. Availability impact is low. No known exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should be cautious when relying on NO_PROXY patterns involving IPv6 zone IDs. Review proxy configuration and consider avoiding patterns that could be affected by this issue. Monitor vendor communications for updates and patches.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Go
- Date Reserved
- 2025-01-08T19:11:42.834Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9817c4522896dcbd73a2
Added to database: 5/21/2025, 9:08:39 AM
Last enriched: 4/24/2026, 4:23:11 PM
Last updated: 5/10/2026, 4:45:02 AM
Views: 110
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.