EUVD-2022-4104

Malicious code in bioql PyPI...

EUVD-2022-0700

Malicious code in bioql PyPI...

OESA-2025-2308 golang security update

. Security Fixes: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.CVE-2025-22871...

Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http

...

net/http: Request smuggling due to acceptance of invalid chunked data in net/http

A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed LF instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to se...

Security Bulletin: Go net/http package is vulnerable to a denial of service,a remote attacker could exploit this vulnerability to cause a denial of service, affects watsonx.data

Summary Go net/http package is vulnerable to a denial of service, caused by improper 100-continue header handling. By sending "Expect: 100-continue" requests, a remote attacker could exploit this vulnerability to cause a denial of service and this could affect watsonx.data. Vulnerability Details...

net/http: Request smuggling due to acceptance of invalid chunked data in net/http

A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed LF instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to se...

Cross-Site Request Forgery (CSRF)

github.com/justinas/nosurf is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to misuse of the Go net/http library, which causes nosurf to treat all incoming requests as plain-text HTTP. As a result, it fails to verify that the Referer header is from the same origin,...

nosurf vulnerable to CSRF due to non-functional same-origin request checks

Impact This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site either via XSS, or otherwise to bypass Cross-Site Request Forgery checks and issue requests on user's behalf. Details Due to misuse of the Go net/http library, nosurf...

Medium: docker

Issue Overview: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVE-2022-27664 Affected Packages: docker Note: This advisory is applicable to Amazon...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS : Go vulnerabilities (USN-7081-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7081-1 advisory. It was discovered that the Go net/http module did not properly handle responses to requests with an Expect: 100-continue header...

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

HTTP Response Splitting

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to HTTP Response Splitting. Go Vulnerability Report: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject...

golang: net/http: handle server errors after sending GOAWAY

A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...

SUSE CVE-2021-44716

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests...

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

Directory Traversal

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Directory Traversal. Go Vulnerability Report: On Windows, restricted files can be accessed via os.DirFS and http.Dir.The os.DirFS function and http.Dir type provide access to a...

Medium: containerd, docker

Issue Overview: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVE-2022-27664 Affected Packages: containerd, docker Note: This advisory is applicabl...

AZL-52863 CVE-2022-27664 affecting package golang for versions less than 1.18.8-1

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error...

AZL-79106 CVE-2022-27664 affecting package golang 1.25.7-1

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error...