Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.
AnalysisAI
Unintended intermediary exposure in go-kratos kratos up to 2.9.2 allows remote attackers to disclose sensitive information via manipulation of the http.DefaultServeMux fallback handler in the NewServer function. The vulnerability has publicly available exploit code and affects the HTTP transport layer with a CVSS score of 5.5, representing a confidentiality impact without availability or integrity concerns.
Technical ContextAI
The vulnerability resides in the HTTP transport component of go-kratos, specifically in the NewServer function of transport/http/server.go. The flaw involves improper handling of the http.DefaultServeMux fallback handler mechanism, which can expose intermediary system information or application details. CWE-441 (Unintended Proxy or Intermediary) indicates that the vulnerability stems from the application acting as an unintended intermediary, potentially leaking information through HTTP responses. The affected library versions through 2.9.2 do not properly isolate or validate the fallback routing behavior, allowing remote exploitation without authentication.
RemediationAI
Apply the vendor-released patch identified as commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d via GitHub pull request #3814 by upgrading go-kratos beyond version 2.9.2. Verify the patched version in go.mod and rebuild the application to incorporate the fix. For immediate mitigation pending patch deployment, restrict HTTP access to kratos services to trusted networks only, implement reverse proxy filtering rules to block requests targeting known fallback handler patterns, and disable or explicitly configure the http.DefaultServeMux fallback behavior through kratos configuration options. Verify patch effectiveness by testing the fallback handler behavior to confirm intermediary information is no longer exposed in HTTP responses.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25669