CVE-2023-45285 Overview
CVE-2023-45285 affects the Go toolchain's module fetching behavior when using go get to retrieve modules with a .git suffix. The Go command may unexpectedly fall back to the insecure git:// protocol when both https:// and git+ssh:// are unavailable, even when GOINSECURE is not configured for the module. This downgrade exposes module fetching to network-level tampering by attackers positioned to intercept traffic. The flaw affects only users who bypass the module proxy by setting GOPROXY=off and fetch modules directly from source repositories.
Critical Impact
An attacker on the network path can serve malicious code through the unencrypted git:// protocol, compromising the integrity of fetched Go modules used in build pipelines.
Affected Products
- Golang Go (versions prior to the fix in CL 540257)
- Go installations using GOPROXY=off for direct module fetching
- Build environments resolving modules with the .git suffix
Discovery Timeline
- 2023-12-06 - CVE CVE-2023-45285 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-45285
Vulnerability Analysis
The vulnerability resides in the Go command's repository protocol selection logic. When go get resolves a module path ending in .git, it attempts to fetch the repository over secure transports first. If https:// and git+ssh:// both fail, the command silently falls back to plaintext git://. The fallback bypasses the protections normally provided by the GOINSECURE environment variable, which is intended to gate any opt-in to insecure transports.
The git:// protocol provides no transport encryption and no server authentication. An attacker with network position between the developer and the upstream Git server can inject arbitrary repository contents in response to the clone request. Since Go modules execute developer-controlled build logic, malicious module contents can lead to code execution during dependency resolution or build.
The scope is limited to direct fetch configurations (GOPROXY=off or proxy-bypassing setups). Users relying on the default proxy.golang.org module proxy are not affected because module fetches occur through the proxy rather than directly against version control systems.
Root Cause
The root cause is an insecure default in the protocol negotiation path when the .git suffix is present. The fallback path did not consult GOINSECURE before attempting git://, treating the unencrypted protocol as an acceptable last resort rather than requiring explicit opt-in. This represents a missing access control check on insecure communication [CWE-300 / CWE-319 class behavior].
Attack Vector
Exploitation requires the attacker to be on the network path between the developer or build system and the Git server hosting the module. The attacker must also induce failure of the https:// and git+ssh:// attempts, for example by dropping TLS handshakes or blocking SSH ports. Once the Go command retries with git://, the attacker responds to the unauthenticated clone with a malicious repository. The poisoned module is then compiled and executed as part of the build, achieving supply chain compromise. See the Go Vulnerability Report GO-2023-2383 for the upstream technical description.
Detection Methods for CVE-2023-45285
Indicators of Compromise
- Outbound TCP connections on port 9418 (git:// default) from developer workstations or build agents
- go get invocations targeting module paths with a .git suffix in build logs
- Build environments configured with GOPROXY=off or with the module proxy disabled
- Unexpected modifications to go.sum entries for modules fetched directly from VCS
Detection Strategies
- Inspect CI/CD and developer host network telemetry for traffic on TCP/9418 and alert on any occurrence in build pipelines
- Audit Go environment configuration across build infrastructure for GOPROXY and GOINSECURE settings
- Compare go.sum hashes against the public checksum database to catch substituted module contents
Monitoring Recommendations
- Forward Go toolchain output and build agent process telemetry to a central log store for review
- Alert on Go versions older than the patched release running in production build infrastructure
- Track changes to dependency manifests (go.mod, go.sum) in version control with mandatory code review
How to Mitigate CVE-2023-45285
Immediate Actions Required
- Upgrade Go to the patched release that includes CL 540257 addressing Go issue 63845
- Re-enable the module proxy by unsetting GOPROXY=off and using proxy.golang.org or a trusted internal proxy
- Block outbound TCP/9418 (git://) at the network egress for developer and build networks
- Rebuild and re-verify any artifacts produced under vulnerable Go versions using direct VCS fetches
Patch Information
The fix is tracked in the Go project at CL 540257 and issue 63845, with downstream packaging coordinated through the Fedora Package Announcement. Reference details are available in the Go Vulnerability Report GO-2023-2383 and the Golang Dev discussion thread.
Workarounds
- Set GOPROXY to a trusted module proxy instead of off to avoid the direct VCS fetch path entirely
- Configure firewall rules to block the git:// protocol on TCP/9418 from build hosts
- Pin module versions and require checksum verification through GOFLAGS=-mod=readonly and the public checksum database
# Configuration example: enforce secure module fetching
export GOPROXY=https://proxy.golang.org,direct
export GOSUMDB=sum.golang.org
unset GOINSECURE
# Block insecure git protocol at the egress firewall (example iptables rule)
iptables -A OUTPUT -p tcp --dport 9418 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
