The vulnerability causes proxy matching logic in Go’s standard library and golang.org/x/net to incorrectly treat an IPv6 zone ID as part of the hostname. When the NO_PROXY environment variable is set to a pattern such as "*.example.com", a request to a URL like "[::1%25.example.com]:80" will be recognized as a match and therefore routed directly, bypassing the configured proxy. This flaw allows an attacker to force traffic that should be proxied to travel unfiltered, potentially exposing internal network details or bypassing authentication controls that are applied by the proxy.

The issue affects applications that compile against the Go net/http standard library and the golang.org/x/net/http/httpproxy and golang.org/x/net/proxy packages. Systems running Red Hat OpenShift Data Foundation 4.18 on el9 (as identified by the cpe string) and other deployments that use these packages may be impacted. Specific version information was not supplied by the CNA, so any deployment using a vulnerable Go version should be evaluated.

With a CVSS score of 4.4 the vulnerability is considered moderate in severity, and an EPSS score of less than 1% indicates a very low probability of exploitation. The flaw is not listed in CISA’s KEV catalog, and no public exploit has been reported. The likely attack vector requires the attacker to supply or influence HTTP requests that include IPv6 addresses with zone identifiers, and the vulnerability is an input validation issue (CWE-115, CWE-20). Because the flaw resides in the client’s proxy selection logic, it is best exploited when the target application automatically processes untrusted traffic or is controlled by an external entity capable of manipulating the NO_PROXY environment variable. Overall risk is moderate but with low anticipated exploitation.