CVE-2022-1705

6.5 MEDIUM

Published: August 10, 2022 Modified: March 06, 2026

Description

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://go.dev/cl/409874

Source: security@golang.org

Patch Vendor Advisory

https://go.dev/cl/410714

Source: security@golang.org

Patch Vendor Advisory

https://go.dev/issue/53188

Source: security@golang.org

Exploit Issue Tracking Patch Vendor Advisory

https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f

Source: security@golang.org

Patch Vendor Advisory

https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

Source: security@golang.org

Release Notes Vendor Advisory

https://pkg.go.dev/vuln/GO-2022-0525

Source: security@golang.org

Vendor Advisory

https://go.dev/cl/409874