Vulnerability Report: GO-2022-0525
standard library- CVE-2022-1705
- Affects: net/http
- Published: Jul 25, 2022
- Modified: May 20, 2024
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.17.12, from go1.18.0-0 before go1.18.4
1 unexported affected symbols
- transferReader.parseTransferEncoding
Aliases
References
- https://go.dev/cl/409874
- https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f
- https://go.dev/issue/53188
- https://go.dev/cl/410714
- https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
- https://vuln.go.dev/ID/GO-2022-0525.json
Credits
- Zeyu Zhang (https://www.zeyu2001.com/)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.