Vulnerability Report: GO-2023-1878

CVE-2023-29406
Affects: net/http
Published: Jul 11, 2023
Modified: May 20, 2024

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

Affected Packages

Path

Versions

Symbols
net/http

before go1.19.11, from go1.20.0-0 before go1.20.6
15 affected symbols

Aliases

CVE-2023-29406

References

https://go.dev/issue/60374
https://go.dev/cl/506996
https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
https://vuln.go.dev/ID/GO-2023-1878.json

Credits

Bartek Nowotarski

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL