PT-2025-2689 · Google+11 · Google Go+11
Kyle Seely
·
Published
2025-01-16
·
Updated
2026-02-18
·
CVE-2024-45336
CVSS v2.0
6.4
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Google Go versions prior to 1.22.10 and 1.23.4
Description
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an
Authorization header which is redirected to b.com/ will not send that header to b.com. However, in the event that the client received a subsequent same-domain redirect, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.Recommendations
For Google Go versions prior to 1.22.10, update to version 1.22.10 or later to resolve the issue.
For Google Go versions prior to 1.23.4, update to version 1.23.4 or later to resolve the issue.
As a temporary workaround, consider restricting the use of cross-domain redirects to minimize the risk of exploitation.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Google Go
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu