Vulnerability Report: GO-2022-0761

CVE-2016-5386
Affects: net/http, net/http/cgi
Published: Aug 09, 2022
Modified: Jun 12, 2023

An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests. This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. Read more about "httpoxy" here: https://httpoxy.org.

Affected Packages

Path

Versions

Symbols
net/http

before go1.6.3
- Handler.ServeHTTP
net/http/cgi

before go1.6.3
- ProxyFromEnvironment

Aliases

CVE-2016-5386

References

https://go.dev/cl/25010
https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223
https://go.dev/issue/16405
https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ
https://vuln.go.dev/ID/GO-2022-0761.json

Credits

Dominic Scheirlinck

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL