// For flags

CVE-2024-45336

Sensitive headers incorrectly sent after cross-domain redirect in net/http

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

A flaw was found in the net/http package of the Golang standard library. The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to `a.com/` containing an Authorization header redirected to `b.com/` will not send that header to `b.com`. However, the sensitive headers would be restored if the client received a subsequent same-domain redirect. For example, a chain of redirects from `a.com/`, to `b.com/1`, and finally to `b.com/2` would incorrectly send the Authorization header to `b.com/2`.

Kyle Seely discovered that the Go net/http module did not properly handle sensitive headers during repeated redirects. An attacker could possibly use this issue to obtain sensitive information. Juho Fors�n discovered that the Go crypto/x509 module incorrectly handled IPv6 addresses during URI parsing. An attacker could possibly use this issue to bypass certificate URI constraints. It was discovered that the Go crypto module did not properly handle variable time instructions under certain circumstances on 64-bit Power systems. An attacker could possibly use this issue to expose sensitive information.

*Credits: Kyle Seely
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-08-27 CVE Reserved
  • 2025-01-28 CVE Published
  • 2025-02-21 CVE Updated
  • 2025-07-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Go Standard Library
Search vendor "Go Standard Library"
 Net/http
Search vendor "Go Standard Library" for product "Net/http"
 < 1.22.11
Search vendor "Go Standard Library" for product "Net/http" and version " < 1.22.11"
en
Affected
Go Standard Library
Search vendor "Go Standard Library"
 Net/http
Search vendor "Go Standard Library" for product "Net/http"
 >= 1.23.0-0 < 1.23.5
Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.23.0-0 < 1.23.5"
en
Affected
Go Standard Library
Search vendor "Go Standard Library"
 Net/http
Search vendor "Go Standard Library" for product "Net/http"
 >= 1.24.0-0.0 < 1.24.0-rc.2
Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.24.0-0.0 < 1.24.0-rc.2"
en
Affected