CVE-2024-45336Sensitive Information Exposure in Standard Library NET Http

CWE-200Sensitive Information Exposure9 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 65.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library NET Http
Timeline
PublishedJan 28
Latest updateJun 18

Description

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

CVEListV5go_standard_library/net_http1.23.0-01.23.5+2

🔴Vulnerability Details

5
OSV
golang-1.22 vulnerabilities2025-06-18
CVEList
Sensitive headers incorrectly sent after cross-domain redirect in net/http2025-01-28
OSV
Sensitive headers incorrectly sent after cross-domain redirect in net/http2025-01-28
GHSA
GHSA-7wrw-r4p8-38rx: The HTTP client drops sensitive headers after following a cross-domain redirect2025-01-28
OSV
CVE-2024-45336: The HTTP client drops sensitive headers after following a cross-domain redirect2025-01-28

📋Vendor Advisories

3
Ubuntu
Go vulnerabilities2025-06-18
Red Hat
golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect2025-01-17
Debian
CVE-2024-45336: golang-1.15 - The HTTP client drops sensitive headers after following a cross-domain redirect....2024
CVE-2024-45336 — Sensitive Information Exposure | cvebase