CVE-2015-5740
CRITICALGo <1.4.3 - HTTP Request Smuggling
Title source: llmDescription
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.
References (8)
Scores
CVSS v3
9.8
EPSS
0.0427
EPSS Percentile
88.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-444
Status
draft
Affected Products (16)
golang/go
< 1.4.2
fedoraproject/fedora
fedoraproject/fedora
redhat/enterprise_linux_server
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_tus
redhat/enterprise_linux_server_tus
... and 1 more
Timeline
Published
Oct 18, 2017
Tracked Since
Feb 18, 2026