The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

🗓️ 03 Sep 2025 23:29:37Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 4 Views

Go net/http up to 1.6 omits httpoxy protections enabling HTTP_PROXY data to redirect CGI traffic.

Reporter	Title	Published	Views	Family All 74
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem models 840 and 900	18 Feb 202301:45	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem model V840	18 Jun 201800:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Concert Software is vulnerable to multiple issues	22 Aug 202417:47	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products	29 Mar 202301:48	–	ibm
ATTACKERKB	CVE-2016-1000101	6 Oct 201614:59	–	attackerkb
Amazon	Medium: golang	17 Aug 201600:00	–	amazon
Tenable Nessus	Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)	18 Aug 201600:00	–	nessus
Tenable Nessus	CentOS 7 : golang (CESA-2016:1538) (httpoxy)	3 Aug 201600:00	–	nessus
Tenable Nessus	Fedora 23 : golang (2016-340e361b90) (httpoxy)	29 Jul 201600:00	–	nessus
Tenable Nessus	Fedora 24 : golang (2016-ea5e284d34) (httpoxy)	29 Jul 201600:00	–	nessus

03 Sep 2025 23:29Current

7High risk

Vulners AI Score7

CVSS 26.8

CVSS 3.18.1

EPSS0.45904

Go language web proxy common gateway interface httpoxy vulnerability