Vulnerability Report: GO-2022-0520

CVE-2022-32148
Affects: net/http
Published: Jul 28, 2022
Modified: Jun 12, 2023

Client IP adresses may be unintentionally exposed via X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.

Affected Packages

Path

Versions

Symbols
net/http

before go1.17.12, from go1.18.0-0 before go1.18.4
- Header.Clone

Aliases

CVE-2022-32148

References

https://go.dev/cl/412857
https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a
https://go.dev/issue/53423
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
https://vuln.go.dev/ID/GO-2022-0520.json

Credits

Christian Mehlmauer

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL