GO-2025-3503
- Source
- https://pkg.go.dev/vuln/GO-2025-3503
- Import Source
- https://vuln.go.dev/ID/GO-2025-3503.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2025-3503
- Aliases
- Published
- 2025-03-12T18:17:07Z
- Modified
- 2025-03-12T22:11:57.350760Z
- Summary
- HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
- Details
-
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2025-3503" }- References
- Credits
-
-
- Juho Forsén of Mattermost
-
Affected packages
Go / golang.org/x/net
Package
- Name
- golang.org/x/net
- View open source insights on deps.dev
- Purl
- pkg:golang/golang.org/x/net
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.36.0
Ecosystem specific
{
"imports": [
{
"path": "golang.org/x/net/http/httpproxy",
"symbols": [
"config.useProxy",
"domainMatch.match"
]
},
{
"path": "golang.org/x/net/proxy",
"symbols": [
"Dial",
"FromEnvironment",
"FromEnvironmentUsing",
"PerHost.AddFromString",
"PerHost.Dial",
"PerHost.DialContext",
"PerHost.dialerForRequest"
]
}
]
}