CVE-2025-4673 Overview
CVE-2025-4673 is an information disclosure vulnerability affecting the Go programming language's HTTP client implementation. The vulnerability occurs when Proxy-Authorization and Proxy-Authenticate headers persist across cross-origin redirects, potentially leaking sensitive proxy authentication credentials to unintended third-party servers.
Critical Impact
Proxy authentication credentials may be inadvertently transmitted to malicious or unintended servers when following cross-origin HTTP redirects, enabling credential theft and potential unauthorized access to proxy infrastructure.
Affected Products
- Go programming language HTTP client library
- Applications using Go's net/http package for HTTP requests through proxies
- Go versions prior to the security patch (refer to Go.dev Vulnerability Report for affected versions)
Discovery Timeline
- 2025-06-11 - CVE-2025-4673 published to NVD
- 2025-06-12 - Last updated in NVD database
Technical Details for CVE-2025-4673
Vulnerability Analysis
This vulnerability represents an information leakage flaw in Go's HTTP client redirect handling logic. When an HTTP client configured to use a proxy follows a redirect to a different origin, it improperly retains the Proxy-Authorization and Proxy-Authenticate headers in the subsequent request. According to HTTP standards and security best practices, authentication headers should be stripped when requests cross origin boundaries to prevent credential leakage.
The flaw allows an attacker controlling a web server to craft a redirect response that causes a victim's HTTP client to forward proxy credentials to an attacker-controlled endpoint. This is particularly concerning in enterprise environments where proxy authentication credentials may provide access to internal network resources.
Root Cause
The root cause lies in the redirect handling logic within Go's net/http package. The HTTP client implementation fails to properly sanitize sensitive authentication headers when following redirects that cross origin boundaries. The code responsible for handling redirects does not distinguish between same-origin and cross-origin scenarios when determining which headers to preserve, leading to unintended credential exposure.
The fix implemented in Go.dev Code Review CL/679257 addresses this by ensuring that Proxy-Authorization and Proxy-Authenticate headers are stripped from requests when following cross-origin redirects.
Attack Vector
The attack vector is network-based, requiring an attacker to either control a web server that the victim visits or perform a man-in-the-middle attack to inject malicious redirect responses. The attack scenario proceeds as follows:
- A victim application makes an HTTP request through a proxy to an attacker-controlled server
- The attacker's server responds with a redirect (HTTP 301, 302, 307, or 308) to a different origin also controlled by the attacker
- The vulnerable Go HTTP client follows the redirect while preserving the Proxy-Authorization header
- The attacker captures the proxy credentials from the redirected request
This vulnerability can be exploited without user interaction, though it requires high attack complexity as the attacker must be in a position to receive the redirected request.
Detection Methods for CVE-2025-4673
Indicators of Compromise
- Unexpected HTTP requests containing Proxy-Authorization headers sent to external or untrusted servers
- Proxy authentication failures following legitimate requests, potentially indicating credential reuse by attackers
- Log entries showing proxy credentials being transmitted to non-proxy endpoints
Detection Strategies
- Monitor outbound HTTP traffic for Proxy-Authorization headers in requests to non-proxy destinations
- Implement network-level inspection to detect authentication headers being sent across different origin boundaries
- Review application logs for unusual redirect chains, particularly those involving cross-origin redirects
- Audit Go application dependencies to identify use of affected net/http package versions
Monitoring Recommendations
- Enable detailed HTTP request logging in applications to track header propagation across redirects
- Configure proxy servers to log authentication attempts and correlate with application-level redirect activity
- Implement alerting for proxy authentication attempts from unexpected source IPs or for resources outside normal access patterns
How to Mitigate CVE-2025-4673
Immediate Actions Required
- Update Go to the latest patched version as specified in the Go.dev Vulnerability Report
- Review and rebuild applications that use Go's net/http package with the patched Go version
- Audit application code for custom HTTP client configurations that may be affected
- Consider rotating proxy credentials if there is evidence of potential exposure
Patch Information
The Go development team has addressed this vulnerability through a security patch. Technical details of the fix are available in the Go.dev Code Review. The issue is tracked in the Go.dev Issue Tracker, and the official announcement was made via Google Groups.
Organizations should update their Go installations and recompile affected applications using the patched version to remediate this vulnerability.
Workarounds
- Implement a custom CheckRedirect function in the HTTP client that strips Proxy-Authorization headers before following cross-origin redirects
- Use an HTTP client wrapper that validates redirect destinations before allowing credentials to propagate
- Configure network-level controls to prevent proxy authentication headers from reaching non-proxy endpoints
- Consider disabling automatic redirect following in sensitive applications and handling redirects manually with appropriate header sanitization
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
