GO-2022-0761

Source
https://pkg.go.dev/vuln/GO-2022-0761
Import Source
https://vuln.go.dev/ID/GO-2022-0761.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0761
Aliases
Published
2022-08-09T17:05:15Z
Modified
2024-05-20T16:03:47Z
Summary
Improper input validation in net/http and net/http/cgi
Details

An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests.

This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.

Read more about "httpoxy" here: https://httpoxy.org.

References
Credits
    • Dominic Scheirlinck

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.3

Ecosystem specific

{
    "imports": [
        {
            "path": "net/http",
            "symbols": [
                "Handler.ServeHTTP"
            ]
        },
        {
            "path": "net/http/cgi",
            "symbols": [
                "ProxyFromEnvironment"
            ]
        }
    ]
}