CVE-2022-32148

Summary

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.

Affected Software

VendorProductVersion RangeStatus
Go standard librarynet/http0 < 1.17.12affected
Go standard librarynet/http1.18.0-0 < 1.18.4affected

Weaknesses

  • CWE-200: Information Exposure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References