Main Vulnerability Database Vulnerabilities #VU106253

#VU106253 Input validation error in proxy and httpproxy - CVE-2025-22870

Published: March 30, 2025 / Updated: July 18, 2025

Vulnerability identifier: #VU106253

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2025-22870

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
proxy
httpproxy

Software vendor:
Google

Description

The vulnerability allows a remote attacker to alter application's behavior.

The vulnerability exists due to insufficient validation of an IPv6 zone ID as a hostname component, when matching hosts against proxy patterns. For instance the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. A remote attacker can alter application behavior and potentially gain access to sensitive information or functionality.

Remediation

Install updates from vendor's website.

#VU106253 Input validation error in proxy and httpproxy - CVE-2025-22870

Description

Remediation

External links