GO-2024-3098

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-3098

Import Source

https://vuln.go.dev/ID/GO-2024-3098.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-3098

Aliases

Published

2024-09-13T21:53:40Z

Modified

2024-09-13T22:27:42.487119Z

Summary

The req library may send an unintended request when a malformed URL is provided in github.com/imroc/req

Details

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.

Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-3098"
}

References

Affected packages

Go / github.com/imroc/req

Package

Name: github.com/imroc/req; View open source insights on deps.dev
Purl: pkg:golang/github.com/imroc/req

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/imroc/req"
        }
    ]
}

Go / github.com/imroc/req/v2

Package

Name: github.com/imroc/req/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/imroc/req/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/imroc/req/v2"
        }
    ]
}

Go / github.com/imroc/req/v3

Package

Name: github.com/imroc/req/v3; View open source insights on deps.dev
Purl: pkg:golang/github.com/imroc/req/v3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.43.4

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/imroc/req/v3",
            "symbols": [
                "Delete",
                "Get",
                "Head",
                "HttpRoundTripFunc.RoundTrip",
                "MustDelete",
                "MustGet",
                "MustHead",
                "MustOptions",
                "MustPatch",
                "MustPost",
                "MustPut",
                "Options",
                "ParallelDownload.Do",
                "Patch",
                "Post",
                "Put",
                "Request.Delete",
                "Request.Do",
                "Request.Get",
                "Request.Head",
                "Request.MustDelete",
                "Request.MustGet",
                "Request.MustHead",
                "Request.MustOptions",
                "Request.MustPatch",
                "Request.MustPost",
                "Request.MustPut",
                "Request.Options",
                "Request.Patch",
                "Request.Post",
                "Request.Put",
                "Request.Send",
                "Transport.CancelRequest",
                "Transport.CloseIdleConnections",
                "Transport.RoundTrip",
                "cleanHost",
                "persistConn.writeRequest",
                "roundTripImpl.RoundTrip"
            ]
        }
    ]
}