CVE-2024-52009: Go Credential Embedded In Url Format String
A credential is being formatted into the userinfo portion of a URL via a `%s` placeholder (e.g., `://user:%s@host` or `://x-access-token:%s`). Once the secret is inlined into the URL string, it leaks to any code path that renders the URL — logs, wrapped errors, diagnostic output, stored Repo/Clone URL fields, etc. This is how CVE-2024-52009 exposed GitHub Ap
greprules fetch cve-2024-52009-go-credential-embedded-in-url-format-string --engine opengrepDescription
A credential is being formatted into the userinfo portion of a URL via a `%s` placeholder (e.g., `://user:%s@host` or `://x-access-token:%s`). Once the secret is inlined into the URL string, it leaks to any code path that renders the URL — logs, wrapped errors, diagnostic output, stored Repo/Clone URL fields, etc. This is how CVE-2024-52009 exposed GitHub Ap
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.