CVE-2024-45258 Overview
CVE-2024-45258 is an improper input validation vulnerability affecting the req HTTP client package for Go prior to version 3.43.4. The vulnerability exists in the cleanHost function within http.go, which follows a "garbage in, garbage out" design philosophy. This approach allows malformed URLs to be processed without proper validation, potentially causing unintended HTTP requests to be sent to unexpected destinations.
Critical Impact
Applications using affected versions of the req package may send HTTP requests to unintended hosts when processing malformed URLs, potentially leading to server-side request forgery (SSRF), data exfiltration, or unauthorized access to internal resources.
Affected Products
- req package for Go versions prior to 3.43.4
- Applications built using vulnerable versions of github.com/imroc/req/v3
Discovery Timeline
- 2024-08-25 - CVE-2024-45258 published to NVD
- 2024-08-26 - Last updated in NVD database
Technical Details for CVE-2024-45258
Vulnerability Analysis
The vulnerability stems from inadequate input validation in the HTTP request handling logic of the req package. The cleanHost function was designed with a permissive "garbage in, garbage out" approach, meaning it would attempt to process malformed or malicious URL inputs without proper sanitization. This design flaw allows attackers to craft specially malformed URLs that bypass intended host validation, resulting in HTTP requests being sent to unintended destinations.
The core issue lies in how the package processes the Host header and URL host components. When a request is constructed with a malformed URL, the previous implementation would truncate the Host header after encountering certain characters like / or spaces. While some users relied on this behavior for edge cases (such as Unix domain socket paths), it opened a potential request smuggling vector by sending altered header fields.
Root Cause
The root cause is classified as CWE-20 (Improper Input Validation). The cleanHost function in http.go failed to properly validate and reject malformed host values before constructing HTTP requests. Instead of enforcing strict validation on URL components, the function attempted to clean and process potentially malicious input, creating an opportunity for attackers to manipulate request destinations.
Attack Vector
The attack is network-based and can be exploited remotely without authentication. An attacker can exploit this vulnerability by providing a malformed URL to an application that uses the vulnerable req package. The malformed URL bypasses the host validation logic, causing the application to send HTTP requests to an attacker-controlled server or internal resources that should not be accessible.
Attack scenarios include:
- SSRF attacks: Crafting URLs that redirect requests to internal services
- Request smuggling: Manipulating host headers to bypass security controls
- Data exfiltration: Redirecting sensitive data to attacker-controlled endpoints
// Security patch in transport.go - prevent successful requests from invalid host
// Source: https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d
// is not given, use the host from the request URL.
//
// Clean the host, in case it arrives with unexpected stuff in it.
- host := cleanHost(r.Host)
+ host := r.Host
if host == "" {
if r.URL == nil {
return errMissingHost
}
- host = cleanHost(r.URL.Host)
+ host = r.URL.Host
+ }
+ host, err = httpguts.PunycodeHostPort(host)
+ if err != nil {
+ return err
+ }
+
+ // Validate that the Host header is a valid header in general,
+ // but don't validate the host itself. This is sufficient to avoid
+ // header or request smuggling via the Host field.
+ // The server can (and will, if it's a net/http server) reject
+ // the request if it doesn't consider the host valid.
+ if !httpguts.ValidHostHeader(host) {
+ // Historically, we would truncate the Host header after '/' or ' '.
+ // Some users have relied on this truncation to convert a network
+ // address such as Unix domain socket path into a valid, ignored
+ // Host header (see https://go.dev/issue/61431).
+ //
+ // We don't preserve the truncation, because sending an altered
+ // header field opens a smuggling vector. Instead, zero out the
The patch removes the permissive cleanHost function and replaces it with proper validation using httpguts.PunycodeHostPort and httpguts.ValidHostHeader to ensure host values are legitimate before processing requests.
Detection Methods for CVE-2024-45258
Indicators of Compromise
- Unusual outbound HTTP requests to unexpected destinations from Go applications
- Network traffic showing malformed Host headers or URL paths containing special characters
- Application logs containing errors related to invalid host validation after patching
- Connections to internal services or metadata endpoints that should not be accessible from the application
Detection Strategies
- Implement network monitoring to detect anomalous outbound HTTP request patterns from Go applications
- Review application dependencies using go list -m all to identify vulnerable req package versions
- Deploy web application firewalls (WAF) with rules to detect malformed URL patterns in requests
- Utilize SentinelOne's Singularity platform to monitor for suspicious network activity and process behavior associated with exploitation attempts
Monitoring Recommendations
- Enable detailed logging for all outbound HTTP requests in applications using the req package
- Monitor for connections to internal IP ranges or cloud metadata endpoints from user-facing applications
- Implement egress filtering to restrict outbound connections to known-good destinations
- Use dependency scanning tools in CI/CD pipelines to detect vulnerable package versions before deployment
How to Mitigate CVE-2024-45258
Immediate Actions Required
- Upgrade the req package to version 3.43.4 or later immediately
- Audit applications using the req package for potential exploitation
- Review network logs for any signs of unintended outbound requests
- Implement input validation for all URL inputs before passing them to HTTP client libraries
Patch Information
The vulnerability has been addressed in req package version 3.43.4. The fix removes the permissive cleanHost function and implements proper host validation using the httpguts package to validate Host headers before processing requests. The security patch can be reviewed at the GitHub commit and the version comparison.
Workarounds
- If immediate patching is not possible, implement URL validation at the application layer before passing URLs to the req package
- Deploy network-level controls to restrict outbound connections from affected applications
- Use a reverse proxy with strict URL validation to filter requests before they reach the application
- Consider temporarily switching to an alternative HTTP client library until the upgrade can be completed
# Upgrade the req package to the patched version
go get github.com/imroc/req/v3@v3.43.4
# Verify the installed version
go list -m github.com/imroc/req/v3
# Update go.mod and rebuild the application
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
