https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ
announces the release of Go versions 1.24.1 and 1.23.7, including a
security fix for:
net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable was
set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
match and not be proxied.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
