Golang HTTP Client Sensitive Header Stripping Vulnerability After Cross-Domain Redirect

A vulnerability exists in the Go programming language's HTTP client, where sensitive headers, such as Authorization, are dropped after following a cross-domain redirect. This issue is present in Go versions through 1.22.10, 1.23.0-0 prior to 1.23.5, and 1.24.0-0 prior to 1.24.0-rc.2. The vulnerability can be reproduced by sending a request with an Authorization header to a domain that redirects to another domain. The header will not be sent to the final domain. However, if there is a same-domain redirect afterwards, the header will be restored, potentially leading to it being sent to the wrong domain.

Impact

Exploitation of this vulnerability results in sensitive information, specifically authorization headers, being incorrectly handled during HTTP redirects, which could lead to unauthorized access or actions.

Reproduction

To reproduce this vulnerability, send an HTTP request from a domain (e.g., a.com) that includes an Authorization header. Ensure that the request is redirected to a different domain (e.g., b.com) where the Authorization header is not included. Then, if there is a same-domain redirect within the b.com domain, the Authorization header will be restored and sent, potentially causing a security issue.

Remediation

Users can upgrade to Go versions 1.24.0-rc.2 or 1.23.5, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.