CVE-2024-45336 Overview
CVE-2024-45336 is an information disclosure vulnerability in the Go programming language's HTTP client implementation. The vulnerability occurs when the HTTP client incorrectly handles sensitive headers during redirect chains. While the client properly drops sensitive headers (such as Authorization) after following a cross-domain redirect, it fails to maintain this protection when a subsequent same-domain redirect occurs in the chain.
For example, when a request to a.com/ containing an Authorization header is redirected to b.com/, the header is correctly stripped. However, if b.com/ then redirects to another path on the same domain (e.g., b.com/2), the sensitive headers are incorrectly restored and sent to the untrusted domain. This creates a potential credential leakage scenario where authentication tokens could be exposed to unintended recipients.
Critical Impact
Sensitive authentication headers including Authorization tokens may be leaked to untrusted third-party domains through crafted redirect chains, potentially enabling unauthorized access to protected resources.
Affected Products
- Go programming language HTTP client (net/http package)
- Applications built with Go that use the standard HTTP client with automatic redirect following
- NetApp products (as referenced in NetApp Security Advisory NTAP-20250221-0003)
Discovery Timeline
- 2025-01-28 - CVE-2024-45336 published to NVD
- 2025-02-21 - Last updated in NVD database
Technical Details for CVE-2024-45336
Vulnerability Analysis
This vulnerability stems from a logic flaw in the Go HTTP client's redirect handling mechanism. The HTTP client is designed to protect sensitive headers by stripping them when following redirects to a different domain—a security measure intended to prevent credential leakage. However, the implementation contains a flaw in how it tracks and restores headers during complex redirect scenarios.
The issue manifests specifically in multi-hop redirect chains where the client first crosses domain boundaries (correctly dropping sensitive headers) but then encounters a same-domain redirect on the target domain. The client's internal state machine incorrectly interprets this same-domain redirect as a reason to restore the previously stripped sensitive headers, violating the security boundary that was established during the initial cross-domain redirect.
This vulnerability can be exploited by attackers who control or can manipulate redirect responses from web servers. By crafting a specific redirect chain, an attacker could intercept authentication credentials that were intended only for the original trusted domain.
Root Cause
The root cause lies in the HTTP client's header management logic during redirect processing. When processing redirects, the client maintains state about which headers to preserve or strip. The logic correctly identifies cross-domain redirects and strips sensitive headers, but fails to maintain this "stripped" state when processing subsequent same-domain redirects. Instead, it restores the original headers based on the same-domain condition, not accounting for the previous cross-domain hop in the chain.
Attack Vector
An attacker can exploit this vulnerability through a network-based attack requiring user interaction. The attack scenario involves:
- An attacker controls or compromises a web server that can issue HTTP redirects
- A victim's Go-based application makes an authenticated request to a trusted domain
- The trusted domain (or an attacker performing a man-in-the-middle attack) issues a redirect to an attacker-controlled domain
- The attacker's domain issues a same-domain redirect (e.g., from attacker.com/1 to attacker.com/2)
- The Go HTTP client incorrectly sends the victim's Authorization header to attacker.com/2
The vulnerability requires the victim to initiate a request with sensitive headers to a domain that can be manipulated to produce the malicious redirect chain. This could occur through compromised web applications, open redirectors, or man-in-the-middle attacks.
For technical implementation details, refer to the Go.dev Issue Discussion and Go.dev Bug Issue.
Detection Methods for CVE-2024-45336
Indicators of Compromise
- Unexpected HTTP requests containing Authorization headers to domains that should not receive authentication credentials
- Network traffic patterns showing redirect chains crossing domain boundaries followed by same-domain redirects
- Application logs indicating authentication failures or unauthorized access attempts following redirect-based workflows
Detection Strategies
- Monitor outbound HTTP traffic for sensitive headers being sent to unexpected domains, particularly following redirect chains
- Implement network-level inspection to detect multi-hop redirect chains that cross domain boundaries
- Review application logs for unusual redirect patterns or authentication token usage anomalies
- Use SentinelOne's behavioral AI to detect unusual network communication patterns from Go-based applications
Monitoring Recommendations
- Enable detailed HTTP client logging in Go applications to capture redirect behavior and header transmission
- Implement network segmentation monitoring to detect sensitive credential leakage across trust boundaries
- Configure alerts for applications making requests to unexpected domains with authentication headers
- Regularly audit Go dependencies and runtime versions across your infrastructure
How to Mitigate CVE-2024-45336
Immediate Actions Required
- Update Go installations to patched versions that address this vulnerability
- Review Go applications that use the standard HTTP client with automatic redirect following
- Implement custom redirect policies in critical applications to validate redirect chains before following
- Audit network traffic from Go-based services for potential credential leakage
Patch Information
The Go development team has addressed this vulnerability through code changes tracked in the Go.dev changelist. Organizations should update to the latest patched Go version as soon as available. Additional details about the vulnerability and affected versions can be found in the Go.dev Vulnerability Database entry GO-2025-3420.
NetApp has also released guidance for affected products in their Security Advisory NTAP-20250221-0003.
Workarounds
- Implement a custom CheckRedirect function in Go HTTP clients to prevent following redirect chains that cross domain boundaries
- Strip sensitive headers manually before making HTTP requests that may involve redirects to untrusted domains
- Use proxy-based HTTP clients that provide more granular control over header propagation during redirects
- Consider implementing token-based authentication that is domain-scoped rather than using headers that persist across redirects
# Configuration example
# Check Go version and update if needed
go version
# Update to latest Go version
# On Linux/macOS using official installer:
# Download latest from https://go.dev/dl/
# Verify vulnerability status using govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
