GO-2022-0525

Source
https://pkg.go.dev/vuln/GO-2022-0525
Import Source
https://vuln.go.dev/ID/GO-2022-0525.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0525
Aliases
Published
2022-07-25T17:34:18Z
Modified
2024-05-20T16:03:47Z
Summary
Improper sanitization of Transfer-Encoding headers in net/http
Details

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

References
Credits
    • Zeyu Zhang (https://www.zeyu2001.com/)

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.17.12
Introduced
1.18.0-0
Fixed
1.18.4

Ecosystem specific

{
    "imports": [
        {
            "path": "net/http",
            "symbols": [
                "transferReader.parseTransferEncoding"
            ]
        }
    ]
}