The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0525" }