AZL-58446 — Vulnetix

AZL-58446 PUBLISHED

CVE-2025-22870 affecting package git-lfs for versions less than 3.6.1-2

Affected Products

Vendor	Product	Versions
Azure Linux:3	git-lfs	0

Exploit Intelligence

Proof-of-concept for CVE-2025-22870 demonstrating HTTP proxy bypass in vulnerable versions (<0.36.0) of golang.org/x/net/http/httpproxy. Exploits improper IPv6 zone ID parsing to evade NO_PROXY restrictions, enabling proxy bypass and potential SSRF under misconfigured environments. (github-poc)
CHANGELOG-v1.73.1.yml (github-poc)
scan.openvex.json (github-poc)

Timeline

Mar 12, 2025 CVE Published
Apr 21, 2026 CVE Updated

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22870 url

Open in Interactive Console →

$ Console Community · 100/wk Open console ›