CVE-2024-45258
📋 TL;DR
The req package for Go before version 3.43.4 may send unintended HTTP requests when provided with malformed URLs due to a 'garbage in, garbage out' design in the cleanHost function. This vulnerability allows attackers to potentially redirect requests to malicious servers or cause unexpected behavior. Any Go application using the req package for HTTP requests is affected.
💻 Affected Systems
- req (Go HTTP client library)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect sensitive API calls to malicious servers, leading to data exfiltration, authentication bypass, or server-side request forgery (SSRF) attacks.
Likely Case
Malformed URLs could cause applications to send requests to unintended destinations, potentially leaking sensitive information or causing service disruptions.
If Mitigated
With proper input validation and URL sanitization at the application layer, the impact would be limited to potential request failures.
🎯 Exploit Status
Exploitation requires the ability to provide malformed URLs to the req package, which could come from user input, configuration files, or external sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.43.4
Vendor Advisory: https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d
Restart Required: Yes
Instructions:
1. Update go.mod to require github.com/imroc/req/v3 v3.43.4 or later
2. Run 'go mod tidy'
3. Rebuild and redeploy your application
4. Restart any running services using the patched version
🔧 Temporary Workarounds
Input validation wrapper
allImplement strict URL validation before passing to req package
// Go code: Validate URL format before using req
func validateURL(rawURL string) (string, error) {
parsed, err := url.Parse(rawURL)
if err != nil {
return "", err
}
// Additional validation logic here
return parsed.String(), nil
}
🧯 If You Can't Patch
- Implement strict input validation for all URL parameters before passing to req package
- Use network controls to restrict outbound HTTP connections to trusted destinations only
🔍 How to Verify
Check if Vulnerable:
Check go.mod for req version: grep 'github.com/imroc/req' go.modCheck Version:
go list -m all | grep github.com/imroc/reqVerify Fix Applied:
Verify version in go.mod is 3.43.4 or later and run 'go list -m all | grep req'📡 Detection & Monitoring
Log Indicators:
- Unexpected HTTP request destinations
- Failed URL parsing errors
- Requests to unusual or unexpected domains
Network Indicators:
- HTTP requests to unexpected IP addresses or domains
- Abnormal request patterns from applications using req
SIEM Query:
source="application_logs" AND ("req" OR "cleanHost") AND ("malformed" OR "unexpected" OR "redirect")