Go HTTP Libraries Proxy Bypass Vulnerability
漏洞信息
漏洞名称: Go HTTP Libraries Proxy Bypass Vulnerability
漏洞编号:
- CVE: CVE-2025-22870
漏洞类型: 服务器端请求伪造
漏洞等级: 中危
漏洞描述: 该漏洞存在于Go编程语言的HTTP库中,包括net/http、x/net/proxy和httpproxy,这些库在处理NO_PROXY规则时错误地解析了IPv6区域标识符,如%25。攻击者可以构造特定的主机名(如[::1%25.example.com]:80),错误地匹配.example.com,从而绕过配置的代理,直接发送请求。这种漏洞的技术根源在于Go未能正确清理IPv6区域标识符,导致主机名匹配逻辑错误。受影响的组件包括Go编程语言1.24.1和1.23.7之前的版本,以及golang.org/x/net模块v0.36.0之前的版本。此漏洞可能被利用进行服务器端请求伪造(SSRF)攻击,访问本应受代理保护的内部服务。尽管CVSS评分为4.4(中危),但在依赖严格代理规则的环境中(如云环境、零信任网络),其严重性可能更高。建议立即升级Go至1.24.1或1.23.7,更新x/net库至v0.36.0或更高版本,并审查NO_PROXY设置以检测%25和区域标识符的滥用。
产品厂商: Go programming language
产品名称: Go HTTP libraries (net/http, x/net/proxy, httpproxy)
影响版本: versions before 1.24.1 and 1.23.7, golang.org/x/net modules before v0.36.0
来源: https://github.com/B1ack4sh/Blackash-CVE-2025-22870
类型: CVE-2025:github search
仓库文件
- CVE-2025-22870.go
- README.md
来源概述
CVE-2025-22870 – Proxy Bypass via IPv6 Zone Parsing in Go 🔐
🧠 Description:
Go’s HTTP libraries (net/http, x/net/proxy, httpproxy) misinterpret IPv6 zone identifiers like %25 in hostnames when processing NO_PROXY rules.
This allows an attacker to craft a hostname like [::1%25.example.com]:80, which wrongly matches .example.com and bypasses the configured proxy, sending the request directly.
⚠️ Severity:
- CVSS 3.1: 4.4 (Medium)
- Some distributions (like Amazon Linux) rate it higher, up to 6.5, due to remote exploit potential.
🎯 Affected Components:
- Go programming language: versions before 1.24.1 and 1.23.7
- golang.org/x/net modules (like
httpproxy): before v0.36.0 - Linux distros packaging these versions, e.g., Ubuntu, Debian, Alpine, Amazon Linux, SUSE
🧨 Exploit Scenario:
An attacker could:
- Exploit the mismatch in proxy matching
- Perform SSRF (Server-Side Request Forgery)
- Reach internal services that should be protected by a proxy
✅ Mitigation Steps:
- Upgrade Go to at least 1.24.1 or 1.23.7
- Update x/net libraries to v0.36.0 or newer
- Rebuild containers or software using older Go versions
- Audit proxy bypass settings (
NO_PROXY) to detect misuse of%25and zone identifiers
🧩 Technical Insight:
%25is the URL-encoded form of%, used in IPv6 zone identifiers like[fe80::1%eth0].- Go fails to sanitize this, causing misclassification in hostname matching logic.
📌 Summary:
While rated “medium”, this vulnerability becomes more serious in environments relying on strict proxy rules (e.g., cloud environments, zero-trust networks). Immediate patching and review of NO_PROXY behavior are highly recommended.
🕷️ Vulnerability Details:
The PoC exploits a vulnerability in the golang.org/x/net/http/httpproxy package, specifically in the way it parses IPv6 zone identifiers when matching against NO_PROXY rules.
The payload used is:
1 | |
⚠️ Disclaimer:
This content is shared for educational and informational purposes only 🧠.
Any demonstrations, examples, or technical descriptions provided are intended to help developers, system administrators, and security professionals understand the nature of the vulnerability and how to protect against it 🛡️.
Do not use this information for unauthorized or malicious activities.
Misuse of such knowledge may violate laws and lead to serious consequences 🚫.
Always act ethically and within legal boundaries ⚖️.