Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cj55-gc7m-wvcq: req may send an unintended request when a malformed URL is provided

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.

Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

ghsa
#vulnerability#git#rce#ssrf
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-45258

req may send an unintended request when a malformed URL is provided

High severity GitHub Reviewed Published Aug 26, 2024 to the GitHub Advisory Database • Updated Aug 26, 2024

Package

gomod github.com/imroc/req/v3 (Go)

Affected versions

< 3.43.4

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.

Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-45258
  • imroc/req@04e3ece
  • imroc/[email protected]…v3.43.4

Published to the GitHub Advisory Database

Aug 26, 2024

Last updated

Aug 26, 2024

ghsa: Latest News

GHSA-rhm9-gp5p-5248: Gradio vulnerable to arbitrary file read with File and UploadButton components