CVE-2024-28110 Overview
CVE-2024-28110 affects the Go SDK for CloudEvents, the official library for integrating Go applications with CloudEvents. Versions prior to 2.15.2 leak authentication credentials when developers use cloudevents.WithRoundTripper to construct a cloudevents.Client with an authenticated http.RoundTripper. The SDK modifies http.DefaultClient with the authenticated transport, causing Authorization tokens to be sent to arbitrary endpoints contacted by the default client process-wide. This weakness is classified under [CWE-522: Insufficiently Protected Credentials]. Version 2.15.2 patches the issue by allocating a dedicated http.Client instead of mutating the default one.
Critical Impact
Authenticated bearer tokens and credentials configured for one CloudEvents endpoint can be transmitted to any arbitrary host contacted using http.DefaultClient, enabling credential theft by unrelated services.
Affected Products
- CloudEvents Go SDK (cloudevents:go_sdk) versions prior to 2.15.2
- Go applications using cloudevents.WithRoundTripper with authenticated transports
- Services that share the process-wide http.DefaultClient with the CloudEvents client
Discovery Timeline
- 2024-03-06 - CVE-2024-28110 published to the National Vulnerability Database (NVD)
- 2025-12-04 - Last updated in NVD database
Technical Details for CVE-2024-28110
Vulnerability Analysis
The Go SDK for CloudEvents constructs an HTTP protocol handler in v2/protocol/http/protocol.go. When a caller passes an authenticated http.RoundTripper via the cloudevents.WithRoundTripper option, the SDK assigns the transport directly onto http.DefaultClient. Because http.DefaultClient is a package-level singleton in Go's standard library, this mutation affects every caller in the process that uses the default client.
Any subsequent outbound HTTP request issued through http.DefaultClient — including requests made by unrelated libraries, telemetry SDKs, or application code — will use the authenticated transport. If that transport injects an Authorization header, the credential is sent to every destination, not just the CloudEvents broker the developer intended to authenticate against.
Root Cause
The defect stems from sharing mutable global state. The SDK relied on http.DefaultClient as a fallback HTTP client and then overwrote its Transport field rather than constructing a private http.Client. This violates the Go convention that callers should never mutate the default client.
Attack Vector
An attacker who controls or observes any HTTP endpoint contacted by the victim process can harvest leaked bearer tokens, API keys, or signed headers from the Authorization header. The attack does not require code execution on the target host — it only requires that the vulnerable application be configured with a legitimate authenticated round-tripper and subsequently make outbound HTTP calls to attacker-reachable destinations.
}
if p.Client == nil {
- p.Client = http.DefaultClient
+ // This is how http.DefaultClient is initialized. We do not just use
+ // that because when WithRoundTripper is used, it will change the client's
+ // transport, which would cause that transport to be used process-wide.
+ p.Client = &http.Client{}
}
if p.roundTripper != nil {
Source: GitHub commit de2f283. The patch replaces the assignment to http.DefaultClient with a freshly allocated &http.Client{}, isolating transport mutations to the CloudEvents protocol instance.
Detection Methods for CVE-2024-28110
Indicators of Compromise
- Outbound HTTP requests from a Go service carrying Authorization headers to hosts other than the configured CloudEvents broker
- Application dependency manifests (go.mod, go.sum) referencing github.com/cloudevents/sdk-go at versions earlier than 2.15.2
- Unexpected authentication attempts logged by third-party APIs that share the process with a CloudEvents producer
Detection Strategies
- Scan source repositories and built binaries for the cloudevents/sdk-go module at versions below 2.15.2
- Inspect runtime telemetry for outbound TLS connections from CloudEvents-producing services to unexpected domains
- Audit code for use of cloudevents.WithRoundTripper paired with transports that attach credentials
Monitoring Recommendations
- Capture egress proxy logs and alert on Authorization header presence on requests to non-allowlisted destinations
- Use software composition analysis (SCA) in CI pipelines to fail builds that pin vulnerable sdk-go versions
- Rotate any bearer tokens or API keys that may have been routed through the affected client
How to Mitigate CVE-2024-28110
Immediate Actions Required
- Upgrade github.com/cloudevents/sdk-go/v2 to version 2.15.2 or later in all Go applications
- Identify any callers using cloudevents.WithRoundTripper with authenticated transports and review historical egress for credential exposure
- Rotate credentials embedded in round-trippers if outbound traffic logs cannot rule out leakage
Patch Information
The fix is available in CloudEvents Go SDK 2.15.2. Refer to the GitHub Security Advisory GHSA-5pf6-2qwx-pxm2 and the upstream commit de2f283 for full details. The patch allocates a dedicated http.Client rather than mutating http.DefaultClient.
Workarounds
- Pass an explicit *http.Client to the CloudEvents protocol constructor instead of relying on the default client
- Avoid attaching Authorization headers inside a RoundTripper; inject them per-request through context-aware middleware that validates the destination host
- Pin cloudevents/sdk-go to a patched version using Go module replace directives until full upgrades are completed
# Update the CloudEvents Go SDK to the patched release
go get github.com/cloudevents/sdk-go/v2@v2.15.2
go mod tidy
# Verify the resolved version
go list -m github.com/cloudevents/sdk-go/v2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
