net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs

[neild]

Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2025-22870

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #71985 (for 1.23), #71986 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/654717 mentions this issue: all: update golang.org/x/net

[gopherbot]

Change https://go.dev/cl/654795 mentions this issue: [release-branch.go1.24] all: updates vendored x/net

[gopherbot]

Change https://go.dev/cl/654796 mentions this issue: [release-branch.go1.23] all: updates vendored x/net