req may send an unintended request when a malformed URL is provided
Moderate severity
GitHub Reviewed
Published
Aug 26, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Aug 25, 2024
Published to the GitHub Advisory Database
Aug 26, 2024
Reviewed
Aug 26, 2024
Last updated
Nov 18, 2024
The
req
library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests.Despite developers potentially utilizing the
net/url
library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how thenet/url
andreq
libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).References