Lattwood

**Name of the Vulnerable Software and Affected Versions** go-resty (affected versions not specified) **Description** A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling `sync.Pool.Put` with the same `*bytes.Buffer` more than once, when request retries are enabled and a retry occurs. The call to `sync.Pool.Get` will then return a `bytes.Buffer` that hasn't had `bytes.Buffer.Reset` called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The `sync.Pool` in question is defined at package level scope, so a completely unrelated server could receive the request body. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.