CVE-2025-4673
published 2025-06-11CVE-2025-4673: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
PriorityP432medium6.8CVSS 3.1
AVNACHPRNUINSCCHINAN
EPSS
0.56%
42.3th percentile
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| go_standard_library | net_http | < 1.23.10 | 1.23.10 |
| go_standard_library | net_http | >= 1.24.0-0 < 1.24.4 | 1.24.4 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.10-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.11-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.5-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gcc_11.2.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm2_msft-golang_1.24.1-3_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_msrc6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2025-06-18·CVSS 6.1
CVE-2024-45341 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy modul
Red Hat
net/http: Sensitive headers not cleared on cross-origin redirect in net/http
vendor_redhat·2025-06-11·CVSS 6.8
CVE-2025-4673 [MEDIUM] net/http: Sensitive headers not cleared on cross-origin redirect in net/http
net/http: Sensitive headers not cleared on cross-origin redirect in net/http
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
A flaw was found in net/http. Handling Proxy-Authorization and Proxy-Authenticate headers during cross-origin redirects allows these headers to be inadvertently forwarded, potentially exposing sensitive authentication credentials. This flaw allows a network-based attacker to manipulate redirect responses, unintentionally exposing authentication details to unauthorized parties.
Statement: The issue is rated as Moderate because while it can lead to a significant compromise of confidentiality, the attack complexity is high. Successful exploitation requires a specific set of circumstance
Microsoft
Sensitive headers not cleared on cross-origin redirect in net/http
vendor_msrc·2025-06-10·CVSS 6.8
CVE-2025-4673 [MEDIUM] Sensitive headers not cleared on cross-origin redirect in net/http
Sensitive headers not cleared on cross-origin redirect in net/http
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://
Debian
CVE-2025-4673: golang-1.15 - Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin red...
vendor_debian·2025·CVSS 6.8
CVE-2025-4673 [MEDIUM] CVE-2025-4673: golang-1.15 - Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin red...
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
Scope: local
bullseye: open
OSV
golang-1.22 vulnerabilities
osv·2025-06-18·CVSS 6.1
CVE-2024-45336 [MEDIUM] golang-1.22 vulnerabilities
golang-1.22 vulnerabilities
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy module did not properly
handle IPv6 zone IDs during hos
OSV
Sensitive headers not cleared on cross-origin redirect in net/http
osv·2025-06-11
CVE-2025-4673 Sensitive headers not cleared on cross-origin redirect in net/http
Sensitive headers not cleared on cross-origin redirect in net/http
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
OSV
CVE-2025-4673: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information
osv·2025-06-11·CVSS 6.8
CVE-2025-4673 [MEDIUM] CVE-2025-4673: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
GHSA
GHSA-62jj-gr2r-5c34: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information
ghsa_unreviewed·2025-06-11
CVE-2025-4673 [MEDIUM] GHSA-62jj-gr2r-5c34: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
No detection rules found.
No public exploits indexed.
HackerOne
Failure to strip Proxy-Authorization header on change in origin
hackerone·2025-06-27
[MEDIUM] Failure to strip Proxy-Authorization header on change in origin
Failure to strip Proxy-Authorization header on change in origin
## Summary:
Failure to strip Proxy-Authorization header on change in origin.
AI was not used. I maintain the PHP Guzzle HTTP package which uses curl, and noticed we have the same issue as curl in this regard. I was made aware of this issue when golang patched something similar a few hours ago: CVE-2025–4673.
## Affected version
8.14.1
## Steps To Reproduce:
cURL appears to strip authorization and cookie, but not proxy-authorization. Send a request to a server that responds with a redirect to another host with all three headers set, and notice only the first two get stripped off the follow-up request.
## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, etc.)]
* [attachment / refere
Bugzilla
CVE-2025-4673 caddy: Sensitive headers not cleared on cross-origin redirect in net/http [epel-all]
bugzilla·2025-06-23·CVSS 6.8
CVE-2025-4673 [MEDIUM] CVE-2025-4673 caddy: Sensitive headers not cleared on cross-origin redirect in net/http [epel-all]
CVE-2025-4673 caddy: Sensitive headers not cleared on cross-origin redirect in net/http [epel-all]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2373305
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This affects epel8 and epel9, but not epel10.
Bugzilla
CVE-2025-4673 net/http: Sensitive headers not cleared on cross-origin redirect in net/http
bugzilla·2025-06-18·CVSS 6.8
CVE-2025-4673 [MEDIUM] CVE-2025-4673 net/http: Sensitive headers not cleared on cross-origin redirect in net/http
CVE-2025-4673 net/http: Sensitive headers not cleared on cross-origin redirect in net/http
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:10672 https://access.redhat.com/errata/RHSA-2025:10672
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:10676 https://access.redhat.com/errata/RHSA-2025:10676
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2025:10677 https://access.redhat.com/errata/RHSA-2025:10677
---
This issue has been addressed in the following products:
Red Hat Enterprise Lin
2025-06-11
Published