CVE-2025-4673: 
Docker vulnerability analysis and mitigation

A security vulnerability (CVE-2025-4673) was discovered in the Go programming language's net/http package, disclosed on June 11, 2025. The vulnerability involves Proxy-Authorization and Proxy-Authenticate headers persisting on cross-origin redirects, potentially leading to sensitive information leakage. The issue was reported by Takeshi Kaneko from GMO Cybersecurity by Ierae, Inc. (Wiz Report, NVD).

The vulnerability received a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible, requires high attack complexity, needs no privileges or user interaction, has changed scope, and can result in high confidentiality impact without affecting integrity or availability. The vulnerability affects multiple versions of Go, specifically versions before 1.23.10 and from 1.24.0-0 before 1.24.4 (CISA-ADP, Go Vuln).

The vulnerability affects various HTTP client methods including Client.Do, Client.Get, Client.Head, Client.Post, and Client.PostForm. The impact includes potential exposure of sensitive information through header persistence during cross-origin redirects (Go Vuln).

The vulnerability has been patched in Go versions 1.23.10 and 1.24.4. Users are advised to upgrade to these versions or later to address the security issue. The fixes were released on June 5, 2025, as part of a security update that included other security fixes (Golang Announce).