Vulnerability Report: GO-2022-0525
- Affects: net/http
- Published: Jul 25, 2022
- Modified: Jun 12, 2023
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
before go1.17.12, from go1.18.0-0 before go1.18.4all symbols
- Zeyu Zhang (https://www.zeyu2001.com/)