Low severityNVD Advisory· Published Feb 10, 2021· Updated Aug 3, 2024

CVE-2021-22133

Description

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Elastic APM Go agent before 1.11.0 leaks sensitive HTTP headers during application panics due to missing sanitization.

The vulnerability in the Elastic APM Go agent (versions before 1.11.0) occurs because the agent normally sanitizes sensitive HTTP header details before transmitting them to the APM server. However, during an application panic, this sanitization step is skipped, allowing raw headers to be logged and sent [1][2].

An attacker does not need special authentication; the bug is triggered automatically when an application panic occurs and the agent processes the request/response context. The leaked information could be captured from APM server logs or network traffic if the attacker has access to those channels [3].

This exposure can lead to the compromise of sensitive headers such as Authorization cookies, Set-Cookie values, and other custom headers, potentially enabling credential theft, session hijacking, or further attacks [4].

Users should upgrade to version 1.11.0 or later, where the sanitization is properly applied even during panic scenarios [2]. No workaround is available; updating the agent is the recommended mitigation.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
go.elastic.co/apmGo	< 1.11.0	1.11.0

Affected products

ghsa-coords
pkg:golang/go.elastic.co/apm
Range: < 1.11.0
Elastic/Elastic Agentcpe-rescue
Range: before 1.11.0

Patches

c5c7e21aa26a

Bump version to 1.11.0

https://github.com/elastic/apm-agent-goAndrew WilkinsFeb 1, 2021via ghsa

commit

37 files changed · +64 −59

CHANGELOG.asciidoc+8 −4 modified

@@ -21,14 +21,18 @@ endif::[]
 [[unreleased]]
 === Unreleased
 
-https://github.com/elastic/apm-agent-go/compare/v1.10.0...master[View commits]
-
-- Make TRANSACTION_IGNORE_URLS dynamically configurable: {pull}872[#872]
-
+https://github.com/elastic/apm-agent-go/compare/v1.11.0...master[View commits]
 
 [[release-notes-1.x]]
 === Go Agent version 1.x
 
+[[release-notes-1.11.0]]
+==== 1.11.0 - 2021/02/01
+
+https://github.com/elastic/apm-agent-go/releases/tag/v1.11.0[View release]
+
+- Make TRANSACTION_IGNORE_URLS dynamically configurable: {pull}872[#872]
+
 [[release-notes-1.10.0]]
 ==== 1.10.0 - 2021/01/20

docs/upgrading.asciidoc+1 −0 modified

@@ -21,6 +21,7 @@ The table below is a simplified description of this policy.
 [options="header"]
 |====
 |Agent version |EOL Date |Maintained until
+|1.11.x |2022/08/01 |1.12.0
 |1.10.x |2022/07/20 |1.11.0
 |1.9.x  |2022/05/02 |1.10.0
 |1.8.x  |2021-11-06 |1.9.0

internal/apmversion/version.go+1 −1 modified

@@ -19,5 +19,5 @@ package apmversion
 
 const (
 	// AgentVersion is the Elastic APM Go Agent version.
-	AgentVersion = "1.10.0"
+	AgentVersion = "1.11.0"
 )

internal/tracecontexttest/go.mod+1 −1 modified

@@ -1,6 +1,6 @@
 module tracecontexttest
 
-require go.elastic.co/apm/module/apmhttp v1.10.0
+require go.elastic.co/apm/module/apmhttp v1.11.0
 
 replace go.elastic.co/apm => ../..

module/apmbeego/go.mod+3 −3 modified

@@ -3,9 +3,9 @@ module go.elastic.co/apm/module/apmbeego
 require (
 	github.com/astaxie/beego v1.11.1
 	github.com/stretchr/testify v1.5.1
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
-	go.elastic.co/apm/module/apmsql v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
+	go.elastic.co/apm/module/apmsql v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmchi/go.mod+2 −2 modified

@@ -3,8 +3,8 @@ module go.elastic.co/apm/module/apmchi
 require (
 	github.com/go-chi/chi v4.0.2+incompatible
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmecho/go.mod+2 −2 modified

@@ -9,8 +9,8 @@ require (
 	github.com/stretchr/testify v1.4.0
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v0.0.0-20170224212429-dcecefd839c4 // indirect
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 	golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413 // indirect
 )

module/apmechov4/go.mod+2 −2 modified

@@ -4,8 +4,8 @@ require (
 	github.com/labstack/echo/v4 v4.0.0
 	github.com/pkg/errors v0.8.1
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 	golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413 // indirect
 )

module/apmelasticsearch/go.mod+2 −2 modified

@@ -2,8 +2,8 @@ module go.elastic.co/apm/module/apmelasticsearch
 
 require (
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
 )

module/apmelasticsearch/internal/integration/go.mod+2 −2 modified

@@ -6,8 +6,8 @@ require (
 	github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 // indirect
 	github.com/olivere/elastic v6.2.16+incompatible
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmelasticsearch v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmelasticsearch v1.11.0
 )
 
 replace go.elastic.co/apm => ../../../..

module/apmgin/go.mod+2 −2 modified

@@ -4,8 +4,8 @@ require (
 	github.com/gin-gonic/gin v1.4.0
 	github.com/pkg/errors v0.8.1
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgocql/go.mod+1 −1 modified

@@ -5,7 +5,7 @@ require (
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/gocql/gocql v0.0.0-20181124151448-70385f88b28b
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgokit/go.mod+3 −3 modified

@@ -6,9 +6,9 @@ require (
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.0.0
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmgrpc v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmgrpc v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
 	google.golang.org/grpc v1.17.0
 )

module/apmgometrics/go.mod+1 −1 modified

@@ -3,7 +3,7 @@ module go.elastic.co/apm/module/apmgometrics
 require (
 	github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgopg/go.mod+2 −2 modified

@@ -6,8 +6,8 @@ require (
 	github.com/onsi/ginkgo v1.8.0 // indirect
 	github.com/onsi/gomega v1.5.0 // indirect
 	github.com/stretchr/testify v1.5.1
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmsql v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmsql v1.11.0
 	mellium.im/sasl v0.2.1 // indirect
 )

module/apmgopgv10/go.mod+2 −2 modified

@@ -4,8 +4,8 @@ require (
 	github.com/go-pg/pg/v10 v10.7.3
 	github.com/pkg/errors v0.8.1
 	github.com/stretchr/testify v1.6.1
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmsql v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmsql v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgoredis/go.mod+1 −1 modified

@@ -7,7 +7,7 @@ require (
 	github.com/onsi/ginkgo v1.8.0 // indirect
 	github.com/onsi/gomega v1.5.0 // indirect
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgoredisv8/go.mod+1 −1 modified

@@ -5,7 +5,7 @@ go 1.14
 require (
 	github.com/go-redis/redis/v8 v8.0.0-beta.2
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgorilla/go.mod+2 −2 modified

@@ -4,8 +4,8 @@ require (
 	github.com/gorilla/context v1.1.1 // indirect
 	github.com/gorilla/mux v1.6.2
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgorm/go.mod+2 −2 modified

@@ -5,8 +5,8 @@ require (
 	github.com/jinzhu/gorm v1.9.10
 	github.com/pkg/errors v0.8.1
 	github.com/stretchr/testify v1.5.1
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmsql v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmsql v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmgormv2/go.mod+2 −2 modified

@@ -2,8 +2,8 @@ module go.elastic.co/apm/module/apmgormv2
 
 require (
 	github.com/stretchr/testify v1.5.1
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmsql v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmsql v1.11.0
 	gorm.io/driver/mysql v1.0.2
 	gorm.io/driver/postgres v1.0.2
 	gorm.io/driver/sqlite v1.1.4-0.20200928065301-698e250a3b0d

module/apmgrpc/go.mod+2 −2 modified

@@ -3,8 +3,8 @@ module go.elastic.co/apm/module/apmgrpc
 require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.0.0
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
 	google.golang.org/grpc v1.17.0
 )

module/apmhttp/go.mod+1 −1 modified

@@ -3,7 +3,7 @@ module go.elastic.co/apm/module/apmhttp
 require (
 	github.com/pkg/errors v0.8.1
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
 	golang.org/x/text v0.3.2 // indirect
 )

module/apmhttprouter/go.mod+2 −2 modified

@@ -3,8 +3,8 @@ module go.elastic.co/apm/module/apmhttprouter
 require (
 	github.com/julienschmidt/httprouter v1.2.0
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmlambda/go.mod+1 −1 modified

@@ -2,7 +2,7 @@ module go.elastic.co/apm/module/apmlambda
 
 require (
 	github.com/aws/aws-lambda-go v1.8.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmlogrus/go.mod+1 −1 modified

@@ -4,7 +4,7 @@ require (
 	github.com/pkg/errors v0.8.1
 	github.com/sirupsen/logrus v1.2.0
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 	golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413 // indirect
 )

module/apmmongo/go.mod+1 −1 modified

@@ -7,7 +7,7 @@ require (
 	github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51 // indirect
 	github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c // indirect
 	github.com/xdg/stringprep v1.0.0 // indirect
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 	go.mongodb.org/mongo-driver v1.0.0
 	golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413 // indirect
 	golang.org/x/text v0.3.2 // indirect

module/apmnegroni/go.mod+2 −2 modified

@@ -5,8 +5,8 @@ go 1.13
 require (
 	github.com/stretchr/testify v1.4.0
 	github.com/urfave/negroni v1.0.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmot/go.mod+2 −2 modified

@@ -3,8 +3,8 @@ module go.elastic.co/apm/module/apmot
 require (
 	github.com/opentracing/opentracing-go v1.1.0
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmprometheus/go.mod+1 −1 modified

@@ -5,7 +5,7 @@ require (
 	github.com/prometheus/client_golang v0.9.2
 	github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmredigo/go.mod+1 −1 modified

@@ -3,7 +3,7 @@ module go.elastic.co/apm/module/apmredigo
 require (
 	github.com/gomodule/redigo v1.8.2
 	github.com/stretchr/testify v1.5.1
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmrestful/go.mod+2 −2 modified

@@ -6,8 +6,8 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
-	go.elastic.co/apm/module/apmhttp v1.10.0
+	go.elastic.co/apm v1.11.0
+	go.elastic.co/apm/module/apmhttp v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmsql/go.mod+1 −1 modified

@@ -6,7 +6,7 @@ require (
 	github.com/lib/pq v1.3.0
 	github.com/mattn/go-sqlite3 v1.10.0
 	github.com/stretchr/testify v1.5.1
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

module/apmzap/go.mod+1 −1 modified

@@ -3,7 +3,7 @@ module go.elastic.co/apm/module/apmzap
 require (
 	github.com/pkg/errors v0.8.1
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 	go.uber.org/atomic v1.3.2 // indirect
 	go.uber.org/multierr v1.1.0 // indirect
 	go.uber.org/zap v1.9.1

module/apmzerolog/go.mod+1 −1 modified

@@ -4,7 +4,7 @@ require (
 	github.com/pkg/errors v0.8.1
 	github.com/rs/zerolog v1.14.3
 	github.com/stretchr/testify v1.4.0
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

scripts/genmod/go.mod+1 −1 modified

@@ -2,7 +2,7 @@ module genmod
 
 require (
 	github.com/pkg/errors v0.8.1
-	go.elastic.co/apm v1.10.0
+	go.elastic.co/apm v1.11.0
 )
 
 replace go.elastic.co/apm => ../..

version.go+1 −1 modified

@@ -19,5 +19,5 @@ package apm // import "go.elastic.co/apm"
 
 const (
 	// AgentVersion is the Elastic APM Go Agent version.
-	AgentVersion = "1.10.0"
+	AgentVersion = "1.11.0"
 )

dd3e8c593580

Tidy up modelwriter (#888)

https://github.com/elastic/apm-agent-goAndrew WilkinsFeb 1, 2021via ghsa

commit

5 files changed · +54 −41

context.go+21 −10 modified

@@ -22,23 +22,25 @@ import (
 	"net/http"
 
 	"go.elastic.co/apm/internal/apmhttputil"
+	"go.elastic.co/apm/internal/wildcard"
 	"go.elastic.co/apm/model"
 )
 
 // Context provides methods for setting transaction and error context.
 //
 // NOTE this is entirely unrelated to the standard library's context.Context.
 type Context struct {
-	model            model.Context
-	request          model.Request
-	requestBody      model.RequestBody
-	requestSocket    model.RequestSocket
-	response         model.Response
-	user             model.User
-	service          model.Service
-	serviceFramework model.Framework
-	captureHeaders   bool
-	captureBodyMask  CaptureBodyMode
+	model               model.Context
+	request             model.Request
+	requestBody         model.RequestBody
+	requestSocket       model.RequestSocket
+	response            model.Response
+	user                model.User
+	service             model.Service
+	serviceFramework    model.Framework
+	captureHeaders      bool
+	captureBodyMask     CaptureBodyMode
+	sanitizedFieldNames wildcard.Matchers
 }
 
 func (c *Context) build() *model.Context {
@@ -52,6 +54,15 @@ func (c *Context) build() *model.Context {
 	default:
 		return nil
 	}
+	if len(c.sanitizedFieldNames) != 0 {
+		if c.model.Request != nil {
+			sanitizeRequest(c.model.Request, c.sanitizedFieldNames)
+		}
+		if c.model.Response != nil {
+			sanitizeResponse(c.model.Response, c.sanitizedFieldNames)
+		}
+
+	}
 	return &c.model
 }

error.go+1 −0 modified

@@ -148,6 +148,7 @@ func (t *Tracer) newError() *Error {
 	if e.recording {
 		e.Timestamp = time.Now()
 		e.Context.captureHeaders = instrumentationConfig.captureHeaders
+		e.Context.sanitizedFieldNames = instrumentationConfig.sanitizedFieldNames
 		e.stackTraceLimit = instrumentationConfig.stackTraceLimit
 	}

modelwriter.go+0 −9 modified

@@ -125,15 +125,6 @@ func (w *modelWriter) buildModelTransaction(out *model.Transaction, tx *Transact
 	if sampled {
 		out.Context = td.Context.build()
 	}
-
-	if len(td.sanitizedFieldNames) != 0 && out.Context != nil {
-		if out.Context.Request != nil {
-			sanitizeRequest(out.Context.Request, td.sanitizedFieldNames)
-		}
-		if out.Context.Response != nil {
-			sanitizeResponse(out.Context.Response, td.sanitizedFieldNames)
-		}
-	}
 }
 
 func (w *modelWriter) buildModelSpan(out *model.Span, span *Span, sd *SpanData) {

sanitizer_test.go+31 −18 modified

@@ -22,6 +22,7 @@ import (
 	"net/http"
 	"testing"
 
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -43,34 +44,46 @@ func TestSanitizeRequestResponse(t *testing.T) {
 		req.AddCookie(c)
 	}
 
-	tx, _, _ := apmtest.WithTransaction(func(ctx context.Context) {
+	tx, _, errors := apmtest.WithTransaction(func(ctx context.Context) {
+		e := apm.CaptureError(ctx, errors.New("boom!"))
+		defer e.Send()
+
 		tx := apm.TransactionFromContext(ctx)
 		tx.Context.SetHTTPRequest(req)
+		e.Context.SetHTTPRequest(req)
 
 		h := make(http.Header)
 		h.Add("Set-Cookie", (&http.Cookie{Name: "foo", Value: "bar"}).String())
 		h.Add("Set-Cookie", (&http.Cookie{Name: "baz", Value: "qux"}).String())
 		tx.Context.SetHTTPResponseHeaders(h)
 		tx.Context.SetHTTPStatusCode(http.StatusTeapot)
+		e.Context.SetHTTPResponseHeaders(h)
+		e.Context.SetHTTPStatusCode(http.StatusTeapot)
 	})
 
-	assert.Equal(t, tx.Context.Request.Cookies, model.Cookies{
-		{Name: "Custom-Credit-Card-Number", Value: "[REDACTED]"},
-		{Name: "secret", Value: "[REDACTED]"},
-		{Name: "sessionid", Value: "[REDACTED]"},
-		{Name: "user_id", Value: "456"},
-	})
-	assert.Equal(t, model.Headers{{
-		Key:    "Authorization",
-		Values: []string{"[REDACTED]"},
-	}}, tx.Context.Request.Headers)
-
-	// NOTE: the response includes multiple Set-Cookie headers,
-	// but we only report a single "[REDACTED]" value.
-	assert.Equal(t, model.Headers{{
-		Key:    "Set-Cookie",
-		Values: []string{"[REDACTED]"},
-	}}, tx.Context.Response.Headers)
+	checkContext := func(context *model.Context) {
+		assert.Equal(t, context.Request.Cookies, model.Cookies{
+			{Name: "Custom-Credit-Card-Number", Value: "[REDACTED]"},
+			{Name: "secret", Value: "[REDACTED]"},
+			{Name: "sessionid", Value: "[REDACTED]"},
+			{Name: "user_id", Value: "456"},
+		})
+		assert.Equal(t, model.Headers{{
+			Key:    "Authorization",
+			Values: []string{"[REDACTED]"},
+		}}, context.Request.Headers)
+
+		// NOTE: the response includes multiple Set-Cookie headers,
+		// but we only report a single "[REDACTED]" value.
+		assert.Equal(t, model.Headers{{
+			Key:    "Set-Cookie",
+			Values: []string{"[REDACTED]"},
+		}}, context.Response.Headers)
+	}
+	checkContext(tx.Context)
+	for _, e := range errors {
+		checkContext(e.Context)
+	}
 }
 
 func TestSetSanitizedFieldNamesNone(t *testing.T) {

transaction.go+1 −4 modified

@@ -23,8 +23,6 @@ import (
 	"math/rand"
 	"sync"
 	"time"
-
-	"go.elastic.co/apm/internal/wildcard"
 )
 
 // StartTransaction returns a new Transaction with the specified
@@ -68,7 +66,7 @@ func (t *Tracer) StartTransactionOptions(name, transactionType string, opts Tran
 	tx.stackTraceLimit = instrumentationConfig.stackTraceLimit
 	tx.Context.captureHeaders = instrumentationConfig.captureHeaders
 	tx.propagateLegacyHeader = instrumentationConfig.propagateLegacyHeader
-	tx.sanitizedFieldNames = instrumentationConfig.sanitizedFieldNames
+	tx.Context.sanitizedFieldNames = instrumentationConfig.sanitizedFieldNames
 	tx.breakdownMetricsEnabled = t.breakdownMetrics.enabled
 
 	var root bool
@@ -346,7 +344,6 @@ type TransactionData struct {
 	stackTraceLimit         int
 	breakdownMetricsEnabled bool
 	propagateLegacyHeader   bool
-	sanitizedFieldNames     wildcard.Matchers
 	timestamp               time.Time
 
 	mu            sync.Mutex

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qqc5-rgcc-cjqhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-22133ghsaADVISORY
discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263252ghsax_refsource_MISCWEB
github.com/elastic/apm-agent-go/commit/c5c7e21aa26a6def7790f74fbceed792ad47ef35ghsaWEB
github.com/elastic/apm-agent-go/commit/dd3e8c593580e7b80a98b57e1cc6e017e56747b4ghsaWEB
github.com/elastic/apm-agent-go/compare/v1.10.0...v1.11.0ghsaWEB
github.com/elastic/apm-agent-go/pull/888ghsaWEB
pkg.go.dev/vuln/GO-2022-0706ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000