VYPR
← All advisories
High severityNVD Advisory· Published Mar 6, 2024· Updated Apr 16, 2025

Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

CVE-2024-28110

Description

Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CloudEvents Go SDK versions before 2.15.2 leak authentication credentials to arbitrary endpoints when using WithRoundTripper.

Vulnerability

The CloudEvents Go SDK prior to version 2.15.2 contained a credential leakage vulnerability when using cloudevents.WithRoundTripper to create a client with an authenticated http.RoundTripper. The root cause lies in the code at [2] where if p.Client is nil, it is set to http.DefaultClient. If a round tripper is provided, it modifies the transport of http.DefaultClient, causing the credentials to be used for all requests made by the default client [3].

Exploitation

An attacker can exploit this by tricking the application into making a request to an attacker-controlled endpoint using http.DefaultClient after the authenticated transport has been set. Since the default client is shared globally, any subsequent HTTP request using the default client will include the authorization credentials [3].

Impact

Successful exploitation leads to leakage of authentication tokens (e.g., OAuth2 tokens) to arbitrary endpoints. This could allow an attacker to access protected resources as the victim application, potentially compromising cloud services or other APIs [3].

Mitigation

The vulnerability is fixed in version 2.15.2 of the Go SDK, where the client creation was changed to use a new http.Client{} instead of http.DefaultClient [4]. Users are advised to update immediately. No workarounds are available except avoiding the use of WithRoundTripper with authenticated transports [3].

References
  1. sdk-go/v2/protocol/http/protocol.go at 67e389964131d55d65cd14b4eb32d57a47312695 · cloudevents/sdk-go
  2. Use of WithRoundTripper to create a Client leaks credentials
  3. Merge pull request from GHSA-5pf6-2qwx-pxm2 · cloudevents/sdk-go@de2f283

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/cloudevents/sdk-go/v2Go
< 2.15.22.15.2

Affected products

49

Patches

1
de2f28370b0d

Merge pull request from GHSA-5pf6-2qwx-pxm2

https://github.com/cloudevents/sdk-goDoug DavisMar 6, 2024via ghsa
commit
1 file changed · +4 1
  • v2/protocol/http/protocol.go+4 1 modified
    @@ -102,7 +102,10 @@ func New(opts ...Option) (*Protocol, error) {
 	}
 
 	if p.Client == nil {
-		p.Client = http.DefaultClient
+		// This is how http.DefaultClient is initialized. We do not just use
+		// that because when WithRoundTripper is used, it will change the client's
+		// transport, which would cause that transport to be used process-wide.
+		p.Client = &http.Client{}
 	}
 
 	if p.roundTripper != nil {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.