Go Security Patch: Critical Vulnerabilities in `golang.org/x/net` Library Expose Proxy Bypass Risk

A routine dependency update in the Go programming ecosystem has exposed two critical security vulnerabilities within the widely used `golang.org/x/net` library. The update patches CVE-2025-22870 and CVE-2025-22872, flaws that could allow attackers to bypass proxy configurations and potentially manipulate HTTP request parsing. The vulnerabilities are present in versions prior to v0.45.0, prompting an urgent, multi-version upgrade across numerous projects.

The core of the threat lies in the library's handling of network requests. CVE-2025-22870 is a logic flaw where the system for matching hosts against proxy patterns (like those defined in the `NO_PROXY` environment variable) can misinterpret an IPv6 address's zone identifier as part of a hostname. This misclassification could cause requests to unintended destinations to incorrectly bypass the proxy, leading to potential data leakage or communication with blocked endpoints. Concurrently, CVE-2025-22872 involves an error in the HTML tokenizer, which may incorrectly parse tags containing unquoted attribute values ending in specific characters, opening a vector for input manipulation.

This security update is not a minor revision but a mandatory jump across multiple minor versions, as indicated by updates from v0.33.0, v0.34.0, v0.37.0, and v0.39.0 all converging on v0.45.0. The `golang.org/x/net` package is an indirect dependency for countless Go applications, meaning the vulnerability risk is deeply embedded in software supply chains. Developers and security teams must immediately audit their dependency trees. The silent nature of these flaws—potentially breaking security boundaries without obvious errors—makes them particularly insidious, elevating the patch from a simple chore to a critical security operation.