CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-45336: Sensitive headers incorrectly sent after cross-domain redirect in net/http

Description

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

Classification

CVE ID: CVE-2024-45336

Affected Products

Vendor: Go standard library

Product: net/http

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.25% (scored less or equal to compared to others)

EPSS Date: 2025-02-27 (when was this score calculated)

References

https://go.dev/cl/643100
https://go.dev/issue/70530
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
https://pkg.go.dev/vuln/GO-2025-3420

Timeline

2025-01-29 10:30:05 UTC
CVE

Sensitive headers incorrectly sent after cross-domain redirect in net/http
2025-03-27 12:15:32 UTC
Tenable Plugins

Amazon Linux 2 : golang (ALAS-2025-2795)