The req package before 3.43.4 for Go may send an unintended request when a malformed URL is provided, because cleanHost in http.go intentionally uses a "garbage in, garbage out" design.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45258.json",
"cna_assigner": "mitre"
}