CVE-2024-45258

Name of the Vulnerable Software and Affected Versions req package versions prior to 3.43.4

Description The req package may send an unintended request when a malformed URL is provided, due to the cleanHost function in http.go using a "garbage in, garbage out" design. This can lead to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests. Inconsistencies exist between how the net/url and req libraries parse URLs, which can lead to the failure of defensive strategies and result in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

Recommendations For versions prior to 3.43.4, update to version 3.43.4 or later to mitigate the risk. As a temporary workaround, consider implementing blocklists to prevent HTTP requests to listed URLs, and utilize the net/url library to parse malformed URLs. Restrict access to the cleanHost function in http.go to minimize the risk of exploitation. Avoid using the req library to handle HTTP requests until the issue is resolved.