CVE-2024-45336: 
cAdvisor vulnerability analysis and mitigation

CVE-2024-45336 is a security vulnerability discovered in the Go programming language's net/http package. The vulnerability was disclosed on January 27, 2025, affecting the HTTP client functionality. The issue occurs when the client handles sensitive headers during cross-domain redirects. This vulnerability impacts Go versions before 1.22.11 and before 1.23.5, as well as development versions before 1.24.0-rc.2 (Go Issue, NVD).

The vulnerability involves the HTTP client's handling of sensitive headers during redirect chains. When a request containing sensitive headers (such as Authorization) is redirected from one domain to another (e.g., from a.com to b.com), the client correctly drops these headers. However, if a subsequent same-domain redirect occurs (e.g., from b.com/1 to b.com/2), the client incorrectly restores the sensitive headers that were previously dropped. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could lead to unauthorized disclosure of sensitive information. When exploited, it could allow sensitive headers (including authentication credentials) to be sent to unintended destinations during redirect chains, potentially exposing confidential information to unauthorized domains (Go Announcement).

The vulnerability has been fixed in Go versions 1.22.11 and 1.23.5. Users are advised to upgrade to these versions or later. The fix was implemented through a patch that corrects the header handling behavior during redirect chains. Users can download the updated versions from the official Go website (Go Announcement).