Kyle Seely

**Name of the Vulnerable Software and Affected Versions** Google Go versions prior to 1.22.10 and 1.23.4 **Description** The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an `Authorization` header which is redirected to b.com/ will not send that header to b.com. However, in the event that the client received a subsequent same-domain redirect, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the `Authorization` header to b.com/2. **Recommendations** For Google Go versions prior to 1.22.10, update to version 1.22.10 or later to resolve the issue. For Google Go versions prior to 1.23.4, update to version 1.23.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of cross-domain redirects to minimize the risk of exploitation.