CVE-2024-45340

CVE-2024-45340 is a vulnerability in the Go programming language's new GOAUTH feature, where credentials provided via this mechanism were not properly segmented by domain. This flaw allows a malicious server to request and access credentials it should not have permission to retrieve. By default, unless otherwise configured, the issue only affects credentials stored in the user's .netrc file.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and a requirement for low privileges but no user interaction. An attacker with low privileges can operate a malicious server that interacts with Go tools using the GOAUTH feature, tricking them into disclosing unauthorized credentials from the .netrc file for other domains, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation details are outlined in the Go security advisory GO-2025-3383 at https://pkg.go.dev/vuln/GO-2025-3383, the issue discussion at https://go.dev/issue/71249, the code review change at https://go.dev/cl/643097, and the mailing list thread at https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ.