{"id":"GO-2025-3383","summary":"GOAUTH credential leak in cmd/go","details":"Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.","aliases":["BIT-golang-2024-45340","CVE-2024-45340"],"modified":"2025-01-30T20:12:02.393685Z","published":"2025-01-28T00:47:30Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3383","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/643097"},{"type":"REPORT","url":"https://go.dev/issue/71249"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.24.0-0"},{"fixed":"1.24.0-rc.2"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3383.json"}}],"schema_version":"1.7.3","credits":[{"name":"Juho Forsén of Mattermost"}]}