{"id":"GO-2025-3420","summary":"Sensitive headers incorrectly sent after cross-domain redirect in net/http","details":"The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\nIn the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.","aliases":["BIT-golang-2024-45336","CVE-2024-45336"],"modified":"2026-02-17T16:13:53.083304Z","published":"2025-01-28T00:47:30Z","related":["CGA-h8rc-vc74-27g6"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2025-3420"},"references":[{"type":"FIX","url":"https://go.dev/cl/643100"},{"type":"REPORT","url":"https://go.dev/issue/70530"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.22.11"},{"introduced":"1.23.0-0"},{"fixed":"1.23.5"},{"introduced":"1.24.0-0"},{"fixed":"1.24.0-rc.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["Client.Do","Client.Get","Client.Head","Client.Post","Client.PostForm","Client.do","Client.makeHeadersCopier","Get","Head","Post","PostForm","shouldCopyHeaderOnRedirect"],"path":"net/http"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3420.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kyle Seely"}]}