Do Son 
The Go team has rolled out versions 1.24.4 and 1.23.10, addressing three critical security vulnerabilities affecting core packages such as net/http, os, and crypto/x509. While these are minor point releases, the impact of the fixed vulnerabilities is far from minorβhighlighting potential risks in both web applications and cryptographic operations built on Go.
CVE-2025-4673: Sensitive Headers Leak on Redirect β net/http
The first and most severe issue affects Goβs net/http package, where sensitive HTTP headers like Proxy-Authorization and Proxy-Authenticate were not cleared during cross-origin redirects, creating a significant data leak vector.
βProxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects, potentially leaking sensitive information,β the Go team explains.
Discovered by Takeshi Kaneko of GMO Cybersecurity by Ierae, Inc., the vulnerability could be exploited in malicious redirect scenarios, allowing attackers to intercept sensitive proxy credentials.
CVE-2025-0913: Inconsistent File Creation Behavior β os
Next, a platform inconsistency in the os.OpenFile() method has been patched. The issue stemmed from differences in how Unix and Windows systems handled the O_CREATE|O_EXCL flags on symbolic links.
βOn Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location,β the Go team writes.
Thanks to Junyoung Park and Dong-uk Kim from KAIST Hacking Lab, this logic flaw is now resolved.
CVE-2025-22874: Policy Validation Bypass in Certificate Chains β crypto/x509
A flaw was identified in Goβs X.509 implementation. When the VerifyOptions.KeyUsages contained ExtKeyUsageAny, policy validation was unintentionally disabled.
βCalling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabled policy validation.β
Although this bug only affected chains involving policy graphs (rare in typical TLS use cases), it broke compliance with the CA/Browser Forum Baseline Requirements, risking misconfigured trust anchors. The issue was reported by Krzysztof SkrzΔtnicki (@Tener) of Teleport.
Update Now
If your application or infrastructure stack is built on Go, particularly for web services, CLI tools, or certificate validation, upgrading to 1.24.4 or 1.23.10 is critical. These patches not only improve consistency across operating systems but also plug security holes that could lead to credential leakage, improper file handling, or certificate misvalidation.
Related Posts:
- From Cloud to Cash: “CP3O” Indicted in Multi-Million Dollar Cryptojacking Operation
- Fortinet detected a new version of the GandCrab ransomware, ver 4.1
- Hackers are selling legal Code Signing Certificates
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
