Description
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.
References (8)
Scores
CVSS v3
9.8
EPSS
0.0427
EPSS Percentile
88.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-444
Status
published
Products (16)
fedoraproject/fedora
21
fedoraproject/fedora
22
golang/go
< 1.4.2
redhat/enterprise_linux_server
7.0
redhat/enterprise_linux_server_aus
7.2
redhat/enterprise_linux_server_aus
7.3
redhat/enterprise_linux_server_aus
7.4
redhat/enterprise_linux_server_aus
7.6
redhat/enterprise_linux_server_eus
7.2
redhat/enterprise_linux_server_eus
7.3
... and 6 more
Published
Oct 18, 2017
Tracked Since
Feb 18, 2026