GO-2025-3751

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-3751

Import Source

https://vuln.go.dev/ID/GO-2025-3751.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2025-3751

Aliases

Published

2025-06-11T16:23:58Z

Modified

2025-06-14T06:28:26.229496Z

Summary

Sensitive headers not cleared on cross-origin redirect in net/http

Details

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2025-3751"
}

References

Credits

- Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.23.10

Introduced

1.24.0-0

Fixed

1.24.4

Ecosystem specific

{
    "imports": [
        {
            "path": "net/http",
            "symbols": [
                "Client.Do",
                "Client.Get",
                "Client.Head",
                "Client.Post",
                "Client.PostForm",
                "Client.makeHeadersCopier",
                "Get",
                "Head",
                "Post",
                "PostForm"
            ]
        }
    ]
}