{"id":"CVE-2024-45336","details":"The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.","aliases":["BIT-golang-2024-45336","GO-2025-3420"],"modified":"2026-02-17T16:13:52.884865Z","published":"2025-01-28T02:15:28Z","related":["ALSA-2025:3772","ALSA-2025:7466","CGA-h8rc-vc74-27g6","MGASA-2025-0021","SUSE-SU-2025:01731-1","SUSE-SU-2025:0280-1","SUSE-SU-2025:0281-1","SUSE-SU-2025:0285-1","SUSE-SU-2025:0297-1","SUSE-SU-2025:03159-1","SUSE-SU-2025:0429-1","SUSE-SU-2025:1555-1","openSUSE-SU-2025:14693-1","openSUSE-SU-2025:14694-1","openSUSE-SU-2025:14695-1","openSUSE-SU-2025:14710-1","openSUSE-SU-2025:15030-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250221-0003/"},{"type":"WEB","url":"https://go.dev/cl/643100"},{"type":"WEB","url":"https://go.dev/issue/70530"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2025-3420"}],"schema_version":"1.7.3"}