Cross-Domain Redirect Vulnerability in Go's HTTP Client
CVE-2024-45336

6.1MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Net/http
Vendor: CVE Published:; 28 January 2025

Badges

📰 News Worthy

What is CVE-2024-45336?

A vulnerability in the Go HTTP client allows sensitive headers to be dropped when following cross-domain redirects. Specifically, when the HTTP client is redirected from one domain to another, it does not send sensitive headers, such as the Authorization header, to the second domain. However, if the client follows a sequence of redirects that remain within the same domain, these sensitive headers are incorrectly restored and sent to subsequent requests within that domain. This behavior can lead to unintended exposure of sensitive information.

Affected Version(s)

net/http 0 < 1.22.11

net/http 1.23.0-0 < 1.23.5

net/http 1.24.0-0 < 1.24.0-rc.2

News Articles

KrakenD

CVE-2024-45336 CVE-2024-45341

KrakenD CE v2.9 released with improved sequential proxy and security

Discover the latest KrakenD updates, including enhanced sequential proxies, YAML encoding, offline linter capabilities, Lua header management, and critical security fixes

References

https://go.dev/cl/643100

https://go.dev/issue/70530

https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 28, 2025
📰
First article discovered by KrakenD
Jan 20, 2025
Vulnerability Reserved
Aug 27, 2024

Credit

Kyle Seely

Go Standard Library