CVE-2025-22870 (Medium) Detected In Github.com/golang/net-v0.1.0

CVE-2025-22870: A Medium Severity Vulnerability in github.com/golang/net-v0.1.0

Introduction

In the ever-evolving landscape of open-source software, vulnerabilities can arise from even the most trusted libraries. One such vulnerability has been detected in the github.com/golang/net-v0.1.0 library, which is a part of the Go supplementary network libraries. This vulnerability, identified as CVE-2025-22870, has been classified as medium severity and affects versions before 1.23.7 and 1.24.x before 1.24.1.

Vulnerability Details

The vulnerability lies in the way Go's net/http, x/net/proxy, and x/net/http/httpproxy handle proxy bypass using IPv6 zone IDs. Specifically, the matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. This can lead to a proxy bypass vulnerability, where certain requests may not be proxied as intended.

For instance, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80" would incorrectly match and not be proxied. This vulnerability affects versions of Go before 1.23.7 and 1.24.x before 1.24.1.

CVSS 3 Score Details

The CVSS 3 score for this vulnerability is 5.5, indicating a medium severity risk. The base score metrics are as follows:

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Scope: Unchanged

The impact metrics are:

• Confidentiality Impact: None
• Integrity Impact: None
• Availability Impact: High

Suggested Fix

To mitigate this vulnerability, it is recommended to upgrade the version of the github.com/golang/net library to at least 1.23.7 or 1.24.x before 1.24.1. This can be achieved by updating the go.mod file to the latest version.

Conclusion

The detection of CVE-2025-22870 in the github.com/golang/net-v0.1.0 library serves as a reminder of the importance of regular security audits and updates in open-source software. By staying informed and taking proactive measures to address vulnerabilities, developers can ensure the security and integrity of their applications.

Additional Resources

For more information on CVE-2025-22870, please refer to the following resources:

• Mend Vulnerability Database
• CVSS 3 Calculator

Step up your Open Source Security Game with Mend

To learn more about how to secure your open-source software and stay ahead of vulnerabilities, please visit Whitesource Software.
CVE-2025-22870: A Medium Severity Vulnerability in github.com/golang/net-v0.1.0 - Q&A

Introduction

In our previous article, we discussed the detection of CVE-2025-22870 in the github.com/golang/net-v0.1.0 library, a part of the Go supplementary network libraries. This vulnerability has been classified as medium severity and affects versions before 1.23.7 and 1.24.x before 1.24.1. In this article, we will address some frequently asked questions (FAQs) related to this vulnerability.

Q&A

Q: What is CVE-2025-22870?

A: CVE-2025-22870 is a medium severity vulnerability detected in the github.com/golang/net-v0.1.0 library, which is a part of the Go supplementary network libraries. This vulnerability affects versions before 1.23.7 and 1.24.x before 1.24.1.

Q: What is the impact of this vulnerability?

A: The impact of this vulnerability is a proxy bypass vulnerability, where certain requests may not be proxied as intended. This can lead to security risks and potential data breaches.

Q: How can I identify if my application is affected by this vulnerability?

A: To identify if your application is affected by this vulnerability, you can check the version of the github.com/golang/net library used in your application. If the version is before 1.23.7 or 1.24.x before 1.24.1, your application may be vulnerable.

Q: What is the recommended fix for this vulnerability?

A: The recommended fix for this vulnerability is to upgrade the version of the github.com/golang/net library to at least 1.23.7 or 1.24.x before 1.24.1. This can be achieved by updating the go.mod file to the latest version.

Q: How can I prevent similar vulnerabilities in the future?

A: To prevent similar vulnerabilities in the future, it is essential to regularly update your dependencies and libraries to the latest versions. Additionally, you can use tools like Whitesource Software to identify and fix vulnerabilities in your open-source software.

Q: What is the CVSS 3 score for this vulnerability?

A: The CVSS 3 score for this vulnerability is 5.5, indicating a medium severity risk.

Q: What are the base score metrics for this vulnerability?

A: The base score metrics for this vulnerability are:

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Scope: Unchanged

Q: What are the impact metrics for this vulnerability?

A: The impact metrics for this vulnerability are:

• Confidentiality Impact: None
• Integrity Impact: None
• Availability Impact: High

Conclusion

CVE-2025-22870 is a medium severity vulnerability detected in the github.com/golang/net-v0.1.0 library. It is essential to understand the impact and recommended fix for this vulnerability to ensure the security and integrity of your applications. By regularly updating your dependencies and libraries and using tools like Whitesource Software, you can prevent similar vulnerabilities in the future.

Additional Resources

For more information on CVE-2025-22870, please refer to the following resources:

• Mend Vulnerability Database
• CVSS 3 Calculator
• Whitesource Software