KrakenD played a vital role in our API transformation journey by protecting our business platforms boundary and exposing the business capabilities in a standard way to both internal and external audience.
Stefano Leopizzi
Enterprise Architecture / lastminute.com
CVE-2025-4673
Medium
· CVSS 6.8
Medium ImpactThis CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.
Component
Go standard library (net/http)
Disclosed
Jun 19, 2025
CVSS Score
6.8
net/http client retains Proxy-Authorization and Proxy-Authenticate
headers when following HTTP redirects to a different origin. If a backend
reachable through KrakenD issues a cross-origin redirect and the upstream request
carries proxy authentication headers, those credentials are forwarded to the
redirect target. Fixed in Go 1.24.4.Community Edition
2.10.1
addresses this CVE
Affected CE versions
>= 2.0, < 2.10.1
Enterprise Edition
2.10.1
addresses this CVE
Affected EE versions
>= 2.0, < 2.10.1
Upgrade to the addressed version or later to remediate this vulnerability.
Stay up to date with KrakenD releases and important updates