CVE-2025-22870: IPv6 Zone ID Information Disclosure Flaw

CVE-2025-22870 Overview

CVE-2025-22870 is an input validation vulnerability in Go's networking libraries where matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. This flaw allows attackers to bypass proxy configurations by crafting malicious IPv6 addresses with specially formatted zone IDs that incorrectly match against proxy exclusion patterns.

For example, when the NO_PROXY environment variable is set to *.example.com, a request to [::1%25.example.com]:80 will incorrectly match and not be proxied, potentially allowing network traffic to bypass intended security controls.

Critical Impact

Applications relying on proxy configurations for security controls may have those controls bypassed, potentially exposing internal network traffic or allowing unauthorized access to protected resources.

Affected Products

• Go programming language networking libraries
• Applications using Go's net/http proxy handling
• NetApp products (per security advisory)

Discovery Timeline

• 2025-03-12 - CVE CVE-2025-22870 published to NVD
• 2025-05-09 - Last updated in NVD database

Technical Details for CVE-2025-22870

Vulnerability Analysis

This vulnerability stems from improper parsing of IPv6 addresses containing zone identifiers (also known as scope IDs). In IPv6 addressing, a zone ID is appended to an address using the % character to specify the network interface for link-local addresses. The vulnerability occurs because Go's proxy pattern matching logic fails to properly isolate the zone ID from the hostname pattern matching process.

When evaluating whether a request should bypass the proxy based on NO_PROXY or similar environment variables, the affected code incorrectly parses the zone ID portion of an IPv6 address. An attacker can craft an IPv6 address where the zone ID contains characters that match against proxy exclusion patterns, causing the request to bypass proxy settings when it should not.

The vulnerability is classified under CWE-115 (Misinterpretation of Input), as the core issue involves the system incorrectly interpreting the zone ID component of an IPv6 address as part of the hostname for pattern matching purposes.

Root Cause

The root cause lies in the host matching logic within Go's networking stack. When processing IPv6 addresses with zone IDs (denoted by % in the address), the parsing routine fails to properly separate the zone ID from the actual address before performing pattern matching against proxy configuration rules. This allows specially crafted zone IDs like %25.example.com (where %25 is URL-encoded %) to be treated as part of the hostname, incorrectly matching against wildcard patterns like *.example.com.

Attack Vector

This is a local attack vector that requires the attacker to control or influence the destination addresses used by an application. The attack exploits the proxy bypass logic by:

1. Crafting an IPv6 address with a zone ID that contains the target domain pattern
2. Making requests to this crafted address from an application that uses Go's networking libraries
3. The malformed zone ID causes the request to match against NO_PROXY patterns
4. Traffic that should be proxied is sent directly, bypassing security controls

The practical impact allows local attackers with the ability to influence network requests to bypass proxy-based security controls, potentially exposing sensitive traffic or accessing resources that should only be reachable through a proxy.

Detection Methods for CVE-2025-22870

Indicators of Compromise

• Network logs showing direct connections that should have been proxied
• IPv6 addresses with unusual zone ID patterns containing domain-like strings (e.g., %25.example.com)
• Applications making outbound connections that bypass configured proxy settings
• Unexpected direct network traffic from applications configured to use proxies

Detection Strategies

• Monitor network traffic for IPv6 connections with malformed or suspicious zone IDs
• Implement network-level logging to detect proxy bypass attempts
• Review application logs for requests to IPv6 addresses containing encoded characters in zone IDs
• Deploy network monitoring to identify traffic that bypasses expected proxy paths

Monitoring Recommendations

• Enable verbose logging on proxy servers to detect requests that should have been proxied but were not
• Implement egress filtering to ensure applications cannot bypass proxy configurations at the network level
• Monitor Go applications for updates to patched versions
• Review application configurations for proper proxy enforcement

How to Mitigate CVE-2025-22870

Immediate Actions Required

• Update Go to a patched version that addresses this vulnerability
• Review applications using Go's networking libraries and schedule updates
• Implement network-level controls to enforce proxy usage regardless of application behavior
• Audit proxy bypass configurations and tighten NO_PROXY patterns where possible

Patch Information

The Go development team has addressed this vulnerability. Detailed patch information is available in the Go.dev Change Log Entry. Additional context is provided in the Go.dev Issue Tracker Entry and the official Go.dev Vulnerability Report.

For NetApp products, refer to the NetApp Security Advisory for product-specific guidance.

Workarounds

• Implement strict network-level firewall rules to enforce proxy usage
• Use network segmentation to prevent direct outbound connections from applications
• Validate and sanitize IPv6 addresses at the application level before making requests
• Consider using an external proxy enforcement mechanism that does not rely on application-level configuration

# Configuration example - Enforce proxy at network level
# Block direct outbound connections and force all traffic through proxy
iptables -A OUTPUT -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -p tcp --dport 443 -j REJECT
# Allow connections only to proxy server
iptables -A OUTPUT -p tcp -d <proxy_ip> --dport <proxy_port> -j ACCEPT