Vulnerability Report: GO-2022-0520
- Affects: net/http
- Published: Jul 28, 2022
- Modified: Jun 12, 2023
Client IP adresses may be unintentionally exposed via X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.
before go1.17.12, from go1.18.0-0 before go1.18.4
- Christian Mehlmauer