Skip to content

req may send an unintended request when a malformed URL is provided

High severity GitHub Reviewed Published Aug 26, 2024 to the GitHub Advisory Database • Updated Sep 16, 2024

Package

gomod github.com/imroc/req (Go)

Affected versions

< 3.43.4

Patched versions

3.43.4
gomod github.com/imroc/req/v2 (Go)
< 3.43.4
3.43.4
gomod github.com/imroc/req/v3 (Go)
< 3.43.4
3.43.4

Description

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.

Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

References

Published by the National Vulnerability Database Aug 25, 2024
Published to the GitHub Advisory Database Aug 26, 2024
Reviewed Aug 26, 2024
Last updated Sep 16, 2024

Severity

High

EPSS score

0.043%
(10th percentile)

CVE ID

CVE-2024-45258

GHSA ID

GHSA-cj55-gc7m-wvcq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.