CVE-2025-22870
📋 TL;DR
This vulnerability in Go's net/http package causes incorrect proxy pattern matching when IPv6 addresses contain zone identifiers. It allows requests that should be proxied to bypass proxy settings, potentially exposing internal traffic. Affects applications using Go's HTTP client with NO_PROXY environment variables containing wildcard patterns.
💻 Affected Systems
- Go programming language
- Applications built with Go that use net/http package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Internal network traffic could be exposed to external networks when it should be proxied through controlled gateways, potentially leaking sensitive data or allowing unauthorized access to internal services.
Likely Case
Accidental bypass of proxy configurations leading to unexpected network routing, potentially causing connectivity issues or minor data leakage in specific configurations.
If Mitigated
Minimal impact if proper network segmentation and egress controls are in place, as the vulnerability only affects proxy bypass decisions.
🎯 Exploit Status
Exploitation requires control over request destination URLs and specific proxy configurations. Proof of concept is publicly available in the Go issue tracker.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.23.2 and Go 1.22.11
Vendor Advisory: https://go.dev/issue/71984
Restart Required: Yes
Instructions:
1. Update Go to version 1.23.2 or 1.22.11. 2. Recompile affected applications. 3. Restart services using the updated Go runtime.
🔧 Temporary Workarounds
Avoid wildcard NO_PROXY patterns
allReplace wildcard patterns in NO_PROXY with explicit domain names
export NO_PROXY="example.com,sub.example.com" # Instead of *.example.com
Disable IPv6 zone identifiers
linuxConfigure systems to not use IPv6 zone identifiers in network requests
🧯 If You Can't Patch
- Audit and remove wildcard patterns from NO_PROXY environment variables
- Implement network monitoring for unexpected direct connections bypassing proxies
🔍 How to Verify
Check if Vulnerable:
Check Go version with 'go version' and verify it's below 1.23.2 or 1.22.11. Also check if applications use NO_PROXY with wildcard patterns.Check Version:
go versionVerify Fix Applied:
After updating Go, test proxy behavior with IPv6 addresses containing zone identifiers to ensure proper proxy matching.📡 Detection & Monitoring
Log Indicators:
- Unexpected direct connections when proxy should be used
- HTTP client logs showing connections to IPv6 addresses with % characters
Network Indicators:
- Traffic to IPv6 addresses with zone identifiers bypassing proxy servers
- Unexpected network flows matching NO_PROXY wildcard patterns
SIEM Query:
source="http_client" dest_ip="*%*" AND NOT proxy_used=true