CVE-2024-45340
Description
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go's GOAUTH feature fails to properly segment credentials by domain, enabling a malicious server to request .netrc credentials from other domains.
CVE-2024-45340 affects the Go command line tool's GOAUTH feature, introduced in Go 1.24. The feature did not properly segment credentials by domain, meaning that a credential stored in the user's .netrc file for one domain could be exposed to a different domain [1][3].
An attacker can exploit this by setting up a malicious server that, when the Go tool fetches modules or performs authentication, triggers a request for credentials from a different domain. The Go tool then sends credentials intended for another domain, leaking them to the attacker [2]. No special privileges are required other than the ability to serve a resource that triggers the Go tool's authentication flow.
The impact is that an attacker can obtain credentials stored in the user's .netrc file, which may include passwords or tokens for various services, leading to unauthorized access to accounts and resources [3]. The severity is rated High with a CVSS score of 8.8.
The vulnerability is fixed in Go 1.24rc2 and later. Users are advised to update to the latest release. By default, only credentials from .netrc are affected unless other credential sources are configured [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20- osv-coords19 versionspkg:bitnami/golangpkg:rpm/opensuse/go1.24&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/go1.24&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/go1.24&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 1.24.0-0, < 1.24.0-rc.2+ 18 more
- (no CPE)range: >= 1.24.0-0, < 1.24.0-rc.2
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-1.1
- (no CPE)range: < 0.0.20250128T150132-150000.1.29.1
- (no CPE)range: < 0.0.20250128T150132-1.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 1.24rc2-150000.1.3.1
- (no CPE)range: < 0.0.20250128T150132-150000.1.29.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.