GO-2023-1878

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-1878

Import Source

https://vuln.go.dev/ID/GO-2023-1878.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1878

Aliases

Published

2023-07-11T19:19:08Z

Modified

2024-05-20T16:03:47Z

Summary

Insufficient sanitization of Host header in net/http

Details

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests.

With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

References

Credits

- Bartek Nowotarski

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.11

Introduced

1.20.0-0

Fixed

1.20.6

Ecosystem specific

{
    "imports": [
        {
            "path": "net/http",
            "symbols": [
                "Client.CloseIdleConnections",
                "Client.Do",
                "Client.Get",
                "Client.Head",
                "Client.Post",
                "Client.PostForm",
                "Get",
                "Head",
                "Post",
                "PostForm",
                "Request.Write",
                "Request.WriteProxy",
                "Request.write",
                "Transport.CancelRequest",
                "Transport.CloseIdleConnections",
                "Transport.RoundTrip"
            ]
        }
    ]
}