{"id":"GO-2025-3383","summary":"GOAUTH credential leak in cmd/go","details":"Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.","aliases":["BIT-golang-2024-45340","CVE-2024-45340"],"modified":"2026-03-17T04:49:29.968444Z","published":"2025-01-28T00:47:30Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3383","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/643097"},{"type":"REPORT","url":"https://go.dev/issue/71249"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.24.0-0"},{"fixed":"1.24.0-rc.2"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3383.json"}}],"schema_version":"1.7.5","credits":[{"name":"Juho Forsén of Mattermost"}]}