Go x/net Security Patch v0.38.0 Closes Critical IPv6 Proxy Bypass Vulnerability (CVE-2025-22870)

A critical security vulnerability in the widely-used Go programming language's `golang.org/x/net` library has been patched, addressing a flaw that could allow attackers to bypass proxy restrictions. The vulnerability, tracked as CVE-2025-22870, stems from improper handling of IPv6 addresses with zone identifiers, potentially enabling traffic to be misdirected to unintended hosts.

The issue was discovered in the library's logic for matching hosts against proxy patterns, such as those defined by the `NO_PROXY` environment variable. Specifically, when a pattern like `*.example.com` is set, a request to an IPv6 address containing a zone ID (e.g., `fe80::1%eth0`) could be incorrectly matched, allowing the request to bypass the proxy and connect directly. This flaw could be exploited in systems that rely on proxy configurations for security or network segmentation, leading to unauthorized data exfiltration or access to internal resources.

The patch, released in version v0.38.0, updates the module from v0.35.0. The update was automatically applied via the Renovate dependency management bot, which flagged it as a security update and auto-closed the associated pull request. This highlights the growing reliance on automated tooling to manage critical software supply chain risks. Developers and organizations using Go must ensure their dependencies are updated to v0.38.0 or later to mitigate this proxy bypass risk, particularly in environments with strict outbound traffic controls.