go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Affected Packages

Go github.com/hashicorp/go-retryablehttp

Affected versions: 0 (fixed in 0.7.7)

Related CVEs

CVE-2024-6104

Key Information

GHSA ID

GHSA-v6v8-xj6m-xwqh

Published

June 24, 2024 6:31 PM

Last Modified

June 26, 2024 7:31 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/go-retryablehttp

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.