VulnerableCode Package Details - pkg:golang/github.com/cloudevents/sdk-go/v2@2.15.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-sajm-cnn5-jqac	Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials ### Impact _What kind of vulnerability is it? Who is impacted?_ Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. The relevant code is [here](https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110) (also inline, emphasis added): <pre>if p.Client == nil { p.Client = http.DefaultClient } if p.roundTripper != nil { p.Client.Transport = p.roundTripper } </pre> When the transport is populated with an authenticated transport such as: - [oauth2.Transport](https://pkg.go.dev/golang.org/x/oauth2#Transport) - [idtoken.NewClient(...).Transport](https://pkg.go.dev/google.golang.org/api/idtoken#NewClient) ... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact! Found and patched by: @tcnghia and @mattmoor ### Patches v.2.15.2	CVE-2024-28110 GHSA-5pf6-2qwx-pxm2

Vulnerability

Summary

Aliases

VCID-sajm-cnn5-jqac

Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials ### Impact _What kind of vulnerability is it? Who is impacted?_ Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. The relevant code is [here](https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110) (also inline, emphasis added): <pre>if p.Client == nil { p.Client = **http.DefaultClient** } if p.roundTripper != nil { p.Client.**Transport = p.roundTripper** } </pre> When the transport is populated with an authenticated transport such as: - [oauth2.Transport](https://pkg.go.dev/golang.org/x/oauth2#Transport) - [idtoken.NewClient(...).Transport](https://pkg.go.dev/google.golang.org/api/idtoken#NewClient) ... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to **any endpoint** it is used to contact! Found and patched by: @tcnghia and @mattmoor ### Patches v.2.15.2

CVE-2024-28110
GHSA-5pf6-2qwx-pxm2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:50:59.174105+00:00	GithubOSV Importer	Fixing	VCID-sajm-cnn5-jqac	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5pf6-2qwx-pxm2/GHSA-5pf6-2qwx-pxm2.json	38.0.0

2026-04-01T12:50:59.174105+00:00

GithubOSV Importer

Fixing

VCID-sajm-cnn5-jqac

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5pf6-2qwx-pxm2/GHSA-5pf6-2qwx-pxm2.json

38.0.0