CVE-2015-5739

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.4.3

Description The issue arises from improper parsing of HTTP header keys in the net/http library, specifically when a space is used instead of a hyphen, as seen in "Content Length" instead of "Content-Length". This allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

Recommendations For Go versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/http library until a patch is applied. Avoid using the Content-Length and Transfer-Encoding header fields in the affected API endpoints until the issue is resolved.