Vulnerability Report: GO-2025-3420

standard library

CVE-2024-45336
Affects: net/http
Published: Jan 28, 2025
Modified: Jan 30, 2025

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

Affected Packages

Path

Go Versions

Symbols
net/http

before go1.22.11, from go1.23.0-0 before go1.23.5, from go1.24.0-0 before go1.24.0-rc.2
9 affected symbols

Aliases

CVE-2024-45336

References

https://go.dev/cl/643100
https://go.dev/issue/70530
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
https://vuln.go.dev/ID/GO-2025-3420.json

Credits

Kyle Seely

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL