Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jajU1LWdjN20td3Zjcc4AA-7H
req may send an unintended request when a malformed URL is provided
The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.
Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jajU1LWdjN20td3Zjcc4AA-7H
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 5 days ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-cj55-gc7m-wvcq, CVE-2024-45258
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-45258
- https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d
- https://github.com/imroc/req/compare/v3.43.3...v3.43.4
- https://pkg.go.dev/vuln/GO-2024-3098
- https://github.com/advisories/GHSA-cj55-gc7m-wvcq
Blast Radius: 19.3
Affected Packages
go:github.com/imroc/req/v2
Dependent packages: 3Dependent repositories: 2
Downloads:
Affected Version Ranges: < 3.43.4
Fixed in: 3.43.4
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0
All unaffected versions:
go:github.com/imroc/req
Dependent packages: 653Dependent repositories: 479
Downloads:
Affected Version Ranges: < 3.43.4
Fixed in: 3.43.4
All affected versions: 0.1.0, 0.1.1, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2
All unaffected versions:
go:github.com/imroc/req/v3
Dependent packages: 391Dependent repositories: 158
Downloads:
Affected Version Ranges: < 3.43.4
Fixed in: 3.43.4
All affected versions: 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.8.0, 3.8.1, 3.8.2, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.12.0, 3.13.0, 3.13.1, 3.13.2, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.17.7, 3.18.0, 3.19.0, 3.19.1, 3.19.2, 3.20.0, 3.20.1, 3.21.0, 3.21.1, 3.22.0, 3.22.1, 3.23.0, 3.24.0, 3.24.1, 3.25.0, 3.26.0, 3.26.1, 3.26.2, 3.26.3, 3.26.4, 3.26.5, 3.26.6, 3.26.7, 3.27.0, 3.28.0, 3.28.1, 3.29.0, 3.30.0, 3.31.0, 3.31.1, 3.31.2, 3.32.0, 3.32.1, 3.32.2, 3.32.3, 3.33.0, 3.33.1, 3.33.2, 3.33.3, 3.34.0, 3.35.0, 3.35.1, 3.35.2, 3.36.0, 3.36.1, 3.36.2, 3.37.0, 3.37.1, 3.37.2, 3.38.0, 3.39.0, 3.40.0, 3.40.1, 3.41.0, 3.41.1, 3.41.2, 3.41.3, 3.41.4, 3.41.5, 3.41.6, 3.41.7, 3.41.8, 3.41.9, 3.41.10, 3.41.11, 3.41.12, 3.42.0, 3.42.1, 3.42.2, 3.42.3, 3.43.0, 3.43.1, 3.43.2, 3.43.3
All unaffected versions: 3.43.4, 3.43.5, 3.43.6, 3.43.7, 3.44.0, 3.45.0, 3.46.0, 3.46.1, 3.47.0, 3.48.0