Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
CPE | Name | Operator | Version |
---|---|---|---|
go | eq | weekly.2012-01-27 | |
go | eq | weekly.2010-09-15 | |
go | eq | weekly.2010-11-23 | |
go | eq | weekly.2010-02-17 | |
go | eq | weekly.2010-03-30 | |
go | eq | go1.15beta1 | |
go | eq | go1.17.5 | |
go | eq | go1.4beta1 | |
go | eq | go1.11beta3 | |
go | eq | weekly.2011-03-15 |