CVE-2024-45336

Sensitive headers incorrectly sent after cross-domain redirect in net/http

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

A flaw was found in the net/http package of the Golang standard library. The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to `a.com/` containing an Authorization header redirected to `b.com/` will not send that header to `b.com`. However, the sensitive headers would be restored if the client received a subsequent same-domain redirect. For example, a chain of redirects from `a.com/`, to `b.com/1`, and finally to `b.com/2` would incorrectly send the Authorization header to `b.com/2`.

An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include denial of service and memory exhaustion vulnerabilities.

*Credits: Kyle Seely

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-27 CVE Reserved
2025-01-28 CVE Published
2025-02-21 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (7)

URL	Tag	Source
https://go.dev/cl/643100
https://go.dev/issue/70530
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
https://pkg.go.dev/vuln/GO-2025-3420

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-45336	2025-04-03
https://bugzilla.redhat.com/show_bug.cgi?id=2341751	2025-04-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				< 1.22.11 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.22.11"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				>= 1.23.0-0 < 1.23.5 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.23.0-0 < 1.23.5"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				>= 1.24.0-0.0 < 1.24.0-rc.2 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.24.0-0.0 < 1.24.0-rc.2"		en		Affected