Vulnerability Report: GO-2022-0525

CVE-2022-1705
Affects: net/http
Published: Jul 25, 2022
Modified: Jun 12, 2023

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

Affected Packages

Path

Versions

Symbols
net/http

before go1.17.12, from go1.18.0-0 before go1.18.4

all symbols

Aliases

CVE-2022-1705

References

https://go.dev/cl/409874
https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f
https://go.dev/issue/53188
https://go.dev/cl/410714
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
https://vuln.go.dev/ID/GO-2022-0525.json

Credits

Zeyu Zhang (https://www.zeyu2001.com/)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL