Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9c97b732-93db-41b0-916d-7b3aaa17afa5@oracle.com>
Date: Fri, 7 Mar 2025 11:58:20 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Go CVE-2025-22870: proxy bypass using IPv6 zone IDs

https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ
announces the release of Go versions 1.24.1 and 1.23.7, including a
security fix for:

> net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
> 
> Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
> as a hostname component. For example, when the NO_PROXY environment variable was
> set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
> match and not be proxied.
> 
> Thanks to Juho Forsén of Mattermost for reporting this issue.
> 
> This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.