CVE-2025-4673

Sensitive headers not cleared on cross-origin redirect in net/http

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

A flaw was found in net/http. Handling Proxy-Authorization and Proxy-Authenticate headers during cross-origin redirects allows these headers to be inadvertently forwarded, potentially exposing sensitive authentication credentials. This flaw allows a network-based attacker to manipulate redirect responses, unintentionally exposing authentication details to unauthorized parties.

Kyle Seely discovered that the Go net/http module did not properly handle sensitive headers during repeated redirects. An attacker could possibly use this issue to obtain sensitive information. Juho Fors�n discovered that the Go crypto/x509 module incorrectly handled IPv6 addresses during URI parsing. An attacker could possibly use this issue to bypass certificate URI constraints. It was discovered that the Go crypto module did not properly handle variable time instructions under certain circumstances on 64-bit Power systems. An attacker could possibly use this issue to expose sensitive information.

*Credits: Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-05-13 CVE Reserved
2025-06-09 CVE Published
2025-06-11 CVE Updated
2025-07-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://go.dev/cl/679257
https://go.dev/issue/73816
https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
https://pkg.go.dev/vuln/GO-2025-3751

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-4673	2025-07-10
https://bugzilla.redhat.com/show_bug.cgi?id=2373305	2025-07-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				< 1.23.10 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.23.10"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				>= 1.24.0-0 < 1.24.4 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.24.0-0 < 1.24.4"		en		Affected