The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests.
With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2023-1878" }
{ "imports": [ { "path": "net/http", "symbols": [ "Client.CloseIdleConnections", "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "Post", "PostForm", "Request.Write", "Request.WriteProxy", "Request.write", "Transport.CancelRequest", "Transport.CloseIdleConnections", "Transport.RoundTrip" ] } ] }