Low severity3.7NVD Advisory· Published May 24, 2024· Updated Apr 15, 2026
CVE-2024-35232
CVE-2024-35232
Description
github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/huandu/facebook/v2Go | < 2.7.2 | 2.7.2 |
Patches
18b34431b91b3Merge pull request from GHSA-3f65-m234-9mxr
2 files changed · +43 −1
session.go+16 −1 modified@@ -562,7 +562,22 @@ func (session *Session) sendRequest(request *http.Request) (response *http.Respo } if err != nil { - err = fmt.Errorf("facebook: cannot reach facebook server; %w", err) + originalErr := err + err = fmt.Errorf("facebook: cannot reach facebook server; %w", originalErr) + netUrlErr, ok := originalErr.(*url.Error) + // *url.Error can contain access_token in the URL, so we need to exclude it. + if !ok || netUrlErr.URL == "" { + return + } + q := request.URL.Query() + if !q.Has("access_token") { + return + } + q.Del("access_token") + url := *request.URL + url.RawQuery = q.Encode() + netUrlErr.URL = url.String() + err = fmt.Errorf("facebook: cannot reach facebook server; %w", netUrlErr) return }
session_test.go+27 −0 modified@@ -11,8 +11,10 @@ import ( "bytes" "context" "encoding/base64" + "errors" "net/http" "net/http/httptest" + "strings" "testing" ) @@ -400,3 +402,28 @@ func TestSessionGetWithQueryString(t *testing.T) { t.Logf("my extended info is: %v", result) } + +func TestSessionGetFailingWithoutExposingAccessToken(t *testing.T) { + var accessToken = "CAACZA38ZAD8CoBAe2bDC6EdThnni3b56scyshKINjZARoC9ZAuEUTgYUkYnKdimqfA2ZAXcd2wLd7Rr8jLmMXTY9vqAhQGqObZBIUz1WwbqVoCsB3AAvLtwoWNhsxM76mK0eiJSLXHZCdPVpyhmtojvzXA7f69Bm6b5WZBBXia8iOpPZAUHTGp1UQLFMt47c7RqJTrYIl3VfAR0deN82GMFL2" + session := &Session{} + session.SetAccessToken(accessToken) + session.HttpClient = &http.Client{ + Transport: alwaysFailRoundTripper{}, + } + + _, err := session.Get("/me", nil) + if err == nil { + t.Fatalf("request should fail") + } + if strings.Contains(err.Error(), accessToken) { + t.Errorf("error message should not contain access token") + } +} + +type alwaysFailRoundTripper struct{} + +var _ http.RoundTripper = alwaysFailRoundTripper{} + +func (a alwaysFailRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + return nil, errors.New("request failed since alwaysFailRoundTripper is used") +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-3f65-m234-9mxrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-35232ghsaADVISORY
- cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/client.go;l=629-633nvdWEB
- cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/url/url.go;l=30nvdWEB
- github.com/huandu/facebook/blob/1591be276561bbdb019c0279f1d33cb18a650e1b/session.gonvdWEB
- github.com/huandu/facebook/commit/8b34431b91b32903c8821b1d7621bf81a029d8e4nvdWEB
- github.com/huandu/facebook/security/advisories/GHSA-3f65-m234-9mxrnvdWEB
News mentions
0No linked articles in our index yet.