Vulnerability Report: GO-2022-0525

standard library

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

Affected Packages

  • Path
    Go Versions
    Symbols
  • before go1.17.12, from go1.18.0-0 before go1.18.4
    1 unexported affected symbols
    • transferReader.parseTransferEncoding

Aliases

References

Credits

  • Zeyu Zhang (https://www.zeyu2001.com/)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL