Skip to content

net/http: sensitive headers not cleared on cross-origin redirect CVE-2025-4673 #73816

New issue
New issue
Closed
Closed
net/http: sensitive headers not cleared on cross-origin redirect CVE-2025-4673#73816
Assignees
thatnealpatel
Labels
Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
Go1.25
@thatnealpatel

Description

@thatnealpatel
thatnealpatel
opened on May 21, 2025

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

This is CVE-2025-4673

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

Labels

Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions