CVE-2025-22870: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-22870 is a vulnerability discovered in Go's proxy host matching functionality, disclosed on March 12, 2025. The vulnerability affects the handling of IPv6 zone IDs in proxy patterns, specifically in the golang.org/x/net package before version v0.36.0. The issue was reported by Juho Forsén of Mattermost (Go Issue, Go Packages).

The vulnerability occurs when matching hosts against proxy patterns, where the system improperly treats an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to '*.example.com', a request to '[::1%25.example.com]:80' will incorrectly match and not be proxied. The issue affects multiple components including net/http, x/net/proxy, and x/net/http/httpproxy. The vulnerability has been assigned a CVSS 3.1 Base Score of 4.4 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L (NVD).

The vulnerability allows for improper bypassing of proxy settings through manipulation of IPv6 zone IDs. This could potentially lead to security controls being circumvented, as requests that should be routed through a proxy are instead made directly (OSS Security).

The vulnerability has been fixed in Go versions 1.24.1 and 1.23.7. Users are advised to upgrade to these patched versions. For the golang.org/x/net package, updating to version v0.36.0 or later will resolve the vulnerability (Go Packages).