Golang Proxy Bypass Vulnerability via IPv6 Zone IDs

A vulnerability exists in Golang's proxy handling that can lead to a bypass of proxy settings. This issue arises in the net/http, x/net/proxy, and x/net/http/httpproxy packages, specifically in versions prior to 0.36.0. The vulnerability occurs when hosts are matched against proxy patterns, as an IPv6 zone ID can be incorrectly interpreted as part of the hostname. For instance, with the NO_PROXY environment variable set to '*.example.com', a request to '[::1%25.example.com]:80' would mistakenly match and bypass the proxy.

Impact

Exploitation of this vulnerability can result in improper proxy handling, allowing requests to bypass intended proxy settings, which could lead to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, set the NO_PROXY environment variable to '*.example.com'. Then, send a request to '[::1%25.example.com]:80'. The request will incorrectly match the NO_PROXY pattern and bypass the proxy, demonstrating the vulnerability.

Remediation

Users can update to Golang versions 1.24.1 or 1.23.7, which include the necessary fix. NetApp products affected by this vulnerability should also be updated to versions that include the Golang 1.24.1 or 1.23.7 update.