Vulnerability Report: GO-2024-2600

standard library

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from to will forward the Authorization header, but a redirect to will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Affected Packages




  • Juho Nurminen of Mattermost


See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL