net/http: sensitive headers not cleared on cross-origin redirect CVE-2025-4673

[thatnealpatel]

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

This is CVE-2025-4673

/cc @golang/security and @golang/release

[thatnealpatel]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #73905 (for 1.23), #73906 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/679257 mentions this issue: net/http: strip sensitive proxy headers from redirect requests

[gopherbot]

Change https://go.dev/cl/679255 mentions this issue: [release-branch.go1.23] net/http: strip sensitive proxy headers from redirect requests

[gopherbot]

Change https://go.dev/cl/679256 mentions this issue: [release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests