CVE-2024-45336
published 2025-01-28CVE-2024-45336: The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.65%
46.3th percentile
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24~rc2-1 (forky) | golang-1.24 1.24~rc2-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24~rc2-1 (forky) | golang-1.24 1.24~rc2-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24~rc2-1 (forky) | golang-1.24 1.24~rc2-1 (forky) |
| go_standard_library | net_http | < 1.22.11 | 1.22.11 |
| go_standard_library | net_http | >= 1.23.0-0 < 1.23.5 | 1.23.5 |
| go_standard_library | net_http | >= 1.24.0-0 < 1.24.0-rc.2 | 1.24.0-rc.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
golang-1.22 vulnerabilities
osv·2025-06-18·CVSS 6.1
CVE-2024-45336 [MEDIUM] golang-1.22 vulnerabilities
golang-1.22 vulnerabilities
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy module did not properly
handle IPv6 zone IDs during hos
OSV
Sensitive headers incorrectly sent after cross-domain redirect in net/http
osv·2025-01-28
CVE-2024-45336 Sensitive headers incorrectly sent after cross-domain redirect in net/http
Sensitive headers incorrectly sent after cross-domain redirect in net/http
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
GHSA
GHSA-7wrw-r4p8-38rx: The HTTP client drops sensitive headers after following a cross-domain redirect
ghsa_unreviewed·2025-01-28
CVE-2024-45336 [MEDIUM] GHSA-7wrw-r4p8-38rx: The HTTP client drops sensitive headers after following a cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
OSV
CVE-2024-45336: The HTTP client drops sensitive headers after following a cross-domain redirect
osv·2025-01-28·CVSS 6.1
CVE-2024-45336 [MEDIUM] CVE-2024-45336: The HTTP client drops sensitive headers after following a cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2025-06-18·CVSS 6.1
CVE-2024-45341 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy modul
Red Hat
golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect
vendor_redhat·2025-01-17·CVSS 6.1
CVE-2024-45336 [MEDIUM] CWE-200 golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect
golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
A flaw was found in the net/http package of the Golang standard library. The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to `a.com/` containing an Authorization header red
Debian
CVE-2024-45336: golang-1.15 - The HTTP client drops sensitive headers after following a cross-domain redirect....
vendor_debian·2024·CVSS 6.1
CVE-2024-45336 [MEDIUM] CVE-2024-45336: golang-1.15 - The HTTP client drops sensitive headers after following a cross-domain redirect....
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
2025-01-28
Published