Vulnerability Report: GO-2024-2963

CVE-2024-24791
Affects: net/http
Published: Jul 02, 2024

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected Packages

Path

Versions

Symbols
net/http

before go1.21.12, from go1.22.0-0 before go1.22.5
13 affected symbols

Aliases

CVE-2024-24791

References

https://go.dev/cl/591255
https://go.dev/issue/67555
https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ
https://vuln.go.dev/ID/GO-2024-2963.json

Credits

Geoff Franks

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL