Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Vulnerability in golang.org/x/net
393 views
Skip to first unread message
Roland Shoemaker
Mar 4, 2025, 3:57:44 PMMar 4
to golang-announce
Hello gophers,
We have tagged version v0.36.0 of golang.org/x/net in order to address a security issue.
Version v0.36.0 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/proxy and golang.org/x/net/http/httpproxy packages which could cause the proxy to be bypassed.
Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.
Cheers,
Go Security team
We have tagged version v0.36.0 of golang.org/x/net in order to address a security issue.
Version v0.36.0 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/proxy and golang.org/x/net/http/httpproxy packages which could cause the proxy to be bypassed.
Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.
Cheers,
Go Security team
Reply all
Reply to author
Forward
0 new messages