CVE-2015-5739
CRITICALGo <1.4.3 - SSRF
Title source: llmDescription
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."
References (9)
Scores
CVSS v3
9.8
EPSS
0.1188
EPSS Percentile
93.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-444
Status
draft
Affected Products (16)
golang/go
< 1.4.2
fedoraproject/fedora
fedoraproject/fedora
redhat/enterprise_linux_server
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_tus
redhat/enterprise_linux_server_tus
... and 1 more
Timeline
Published
Oct 18, 2017
Tracked Since
Feb 18, 2026