A remote attacker can exploit Go's HTTP client to leak proxy credentials via cross-origin redirects, or bypass certificate policy validation when ExtKeyUsageAny is used during TLS verification.