CVE-2025-4673 is a medium severity vulnerability identified in the Go standard library's net/http package, affecting versions up to 1.24.0-0. The issue involves the improper handling of Proxy-Authorization and Proxy-Authenticate HTTP headers during cross-origin redirects. Specifically, these headers, which can contain sensitive authentication credentials, are persisted and sent along with redirected requests to different origins. This behavior violates the principle of least privilege and can lead to unintended leakage of sensitive proxy authentication information to potentially untrusted external servers. The vulnerability is categorized under CWE-201, which concerns the insertion of sensitive information into sent data. The CVSS v3.1 base score is 6.8, reflecting a medium severity with a vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), scope changed (S:C), high confidentiality impact (C:H), no integrity or availability impact (I:N/A:N). The scope change indicates that the vulnerability affects components beyond the initially vulnerable component, increasing the risk. Although no known exploits are reported in the wild, the vulnerability could be exploited remotely without authentication or user interaction, but requires high attack complexity, likely due to the need to induce cross-origin redirects and control proxy authentication headers. This vulnerability is significant because the Go net/http package is widely used in web servers, proxies, and client applications, meaning that many applications and services built on Go could inadvertently expose sensitive proxy credentials if they handle redirects improperly. The lack of available patches at the time of reporting suggests that users must apply mitigations or updates once released to prevent exploitation.

For European organizations, the impact of CVE-2025-4673 can be considerable, especially for those relying on Go-based infrastructure components such as web servers, reverse proxies, or microservices that handle HTTP traffic with proxy authentication. The leakage of Proxy-Authorization headers during cross-origin redirects could expose sensitive proxy credentials to malicious external servers, potentially allowing attackers to misuse proxy access, intercept or manipulate traffic, or gain unauthorized network access. This could lead to confidentiality breaches, especially in environments where proxy authentication is used to control access to internal or external resources. Given the medium severity and the high confidentiality impact, organizations handling sensitive data, including financial institutions, healthcare providers, and government agencies in Europe, could face data exposure risks. Additionally, the vulnerability could be leveraged as part of a larger attack chain to pivot within networks or exfiltrate data. The fact that exploitation does not require authentication or user interaction increases the risk profile, although the high attack complexity somewhat limits widespread exploitation. However, organizations with complex proxy configurations or those that rely heavily on automated HTTP client libraries in Go are at higher risk. The vulnerability also poses compliance risks under GDPR and other European data protection regulations if sensitive information is leaked due to this flaw.

To mitigate CVE-2025-4673, European organizations should take immediate steps beyond generic patching advice: 1) Monitor for updates from the Go project and prioritize upgrading the net/http package to a fixed version once available. 2) Audit all Go-based applications and services that use the net/http package, focusing on those that handle proxy authentication and perform HTTP redirects, to identify potential exposure. 3) Implement strict validation and sanitization of HTTP headers during redirects, ensuring that Proxy-Authorization and Proxy-Authenticate headers are not forwarded to different origins. 4) Where feasible, configure proxies and HTTP clients to avoid sending sensitive proxy headers on cross-origin redirects or disable automatic redirect following in sensitive contexts. 5) Employ network-level controls to restrict outbound traffic from servers handling proxy credentials to only trusted destinations, reducing the risk of credential leakage to untrusted endpoints. 6) Enhance logging and monitoring to detect unusual redirect patterns or unexpected outbound requests containing proxy headers. 7) Educate developers and DevOps teams about this vulnerability to ensure secure coding practices around HTTP header management and redirect handling. These targeted mitigations will help reduce the risk until patches are applied and prevent exploitation in complex proxy environments.