{"schema_version":"1.3.1","id":"GO-2025-3420","modified":"2025-01-30T18:58:58Z","published":"2025-01-28T00:47:30Z","aliases":["CVE-2024-45336"],"summary":"Sensitive headers incorrectly sent after cross-domain redirect in net/http","details":"The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\nIn the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.22.11"},{"introduced":"1.23.0-0"},{"fixed":"1.23.5"},{"introduced":"1.24.0-0"},{"fixed":"1.24.0-rc.2"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["Client.Do","Client.Get","Client.Head","Client.Post","Client.PostForm","Client.do","Client.makeHeadersCopier","Get","Head","Post","PostForm","shouldCopyHeaderOnRedirect"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/643100"},{"type":"REPORT","url":"https://go.dev/issue/70530"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ"}],"credits":[{"name":"Kyle Seely"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3420","review_status":"REVIEWED"}}