Vulnerability Report: GO-2021-0159

standard library

CVE-2015-5739, CVE-2015-5740, and 1 more
Affects: net/http
Published: Jan 05, 2022
Modified: May 20, 2024

HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

Affected Packages

Path

Go Versions

Symbols
net/http

before go1.4.3
- CanonicalMIMEHeaderKey

Aliases

CVE-2015-5739
CVE-2015-5740
CVE-2015-5741

References

https://go.dev/cl/13148
https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f
https://go.dev/cl/11772
https://go.dev/cl/11810
https://go.dev/cl/12865
https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9
https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f
https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87
https://go.dev/issue/12027
https://go.dev/issue/11930
https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ
https://vuln.go.dev/ID/GO-2021-0159.json

Credits

Jed Denlea, Régis Leroy

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL