CVE-2024-45340 Information

Description

Credentials provided via the new GOAUTH feature were not being properly segmented by domain allowing a malicious server to request credentials they should not have access to. By default unless otherwise set this only affected credentials stored in the users .netrc file.

Reference

https://go.dev/cl/643097 https://go.dev/issue/71249 https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ https://pkg.go.dev/vuln/GO-2025-3383