CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-45340: GOAUTH credential leak in cmd/go

Description

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

Classification

CVE ID: CVE-2024-45340

Affected Products

Vendor: Go toolchain

Product: cmd/go

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.25% (scored less or equal to compared to others)

EPSS Date: 2025-02-27 (when was this score calculated)

References

https://go.dev/cl/643097
https://go.dev/issue/71249
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://pkg.go.dev/vuln/GO-2025-3383

Timeline

2025-01-29 10:30:06 UTC
CVE

GOAUTH credential leak in cmd/go