Description
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."
References (9)
Scores
CVSS v3
9.8
EPSS
0.1188
EPSS Percentile
93.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-444
Status
published
Products (16)
fedoraproject/fedora
21
fedoraproject/fedora
22
golang/go
< 1.4.2
redhat/enterprise_linux_server
7.0
redhat/enterprise_linux_server_aus
7.2
redhat/enterprise_linux_server_aus
7.3
redhat/enterprise_linux_server_aus
7.4
redhat/enterprise_linux_server_aus
7.6
redhat/enterprise_linux_server_eus
7.2
redhat/enterprise_linux_server_eus
7.3
... and 6 more
Published
Oct 18, 2017
Tracked Since
Feb 18, 2026