GHSA-cj55-gc7m-wvcq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cj55-gc7m-wvcq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cj55-gc7m-wvcq
- Aliases
- Published
- 2024-08-26T00:30:54Z
- Modified
- 2024-11-18T16:27:07Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- req may send an unintended request when a malformed URL is provided
- Details
-
The
reqlibrary is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.Despite developers potentially utilizing the
net/urllibrary to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how thenet/urlandreqlibraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE). - Database specific
{ "nvd_published_at": "2024-08-25T22:15:05Z", "cwe_ids": [ "CWE-20", "CWE-918", "CWE-94" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-08-26T15:54:18Z" }- References
Affected packages
Go / github.com/imroc/req/v3
Package
- Name
- github.com/imroc/req/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/imroc/req/v3
Go / github.com/imroc/req
Package
- Name
- github.com/imroc/req
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/imroc/req
Go / github.com/imroc/req/v2
Package
- Name
- github.com/imroc/req/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/imroc/req/v2