CVE-2024-45258: 
vulnerability analysis and mitigation

The req package before version 3.43.4 for Go contains a vulnerability where it may send unintended requests when a malformed URL is provided. This occurs because the cleanHost function in http.go intentionally uses a "garbage in, garbage out" design. The vulnerability was discovered and disclosed in August 2024 (NVD).

The vulnerability exists in the URL parsing mechanism of the req library. When malformed URLs are provided, inconsistencies between how the net/url and req libraries parse URLs can lead to the failure of defensive strategies. The CVSS v3.1 score for this vulnerability is 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA-ADP).

The vulnerability can lead to security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE). This is particularly impactful because the req library is widely used, and the vulnerability can help attackers bypass protections that developers have set up for schemes and hosts (GitHub Commit).

The vulnerability has been fixed in version 3.43.4 of the req package. The fix involves improving the handling of malformed URLs and preventing successful requests to invalid hosts. Users should upgrade to version 3.43.4 or later to receive the security patch (GitHub Compare).