CVE-2022-1705

Summary

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

Affected Software

VendorProductVersion RangeStatus
Go standard librarynet/http0 < 1.17.12affected
Go standard librarynet/http1.18.0-0 < 1.18.4affected

Weaknesses

  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References