Cyber Resilience

CVE-2024-45340

High

Published: 28 January 2025

Published
28 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45340 is a high-severity an unspecified weakness vulnerability in Go (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2024-45340 is a vulnerability in the Go programming language's new GOAUTH feature, where credentials provided via this mechanism were not properly segmented by domain. This flaw allows a malicious server to request and access credentials it should not have permission to retrieve. By default, unless otherwise configured, the issue only affects credentials stored in the user's .netrc file.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and a requirement for low privileges but no user interaction. An attacker with low privileges can operate a malicious server that interacts with Go tools using the GOAUTH feature, tricking them into disclosing unauthorized credentials from the .netrc file for other domains, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation details are outlined in the Go security advisory GO-2025-3383 at https://pkg.go.dev/vuln/GO-2025-3383, the issue discussion at https://go.dev/issue/71249, the code review change at https://go.dev/cl/643097, and the mailing list thread at https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ.

EU & UK References

Vulnerability details

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users…

more

.netrc file.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability directly enables remote theft of credentials stored in .netrc files via malicious server interaction with Go clients using GOAUTH.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

Go
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to credentials, directly addressing the GOAUTH failure to segment .netrc credentials by domain.

prevent

AC-4 requires controlling information flows based on domain policies, preventing malicious servers from receiving unauthorized credentials from other domains.

prevent

AC-6 least privilege limits access to only necessary credentials matching the requesting server's domain, mitigating excessive disclosure in GOAUTH.

References