CVE-2019-16276

Name of the Vulnerable Software and Affected Versions Go versions 1.12.0 through 1.12.9 Go versions 1.13.0 through 1.13.0

Description The issue is related to inconsistent interpretation of HTTP requests. This can be exploited by a remote attacker to impact data integrity. Specifically, the net/http package used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, violating RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently, leading to filter bypasses or request smuggling.

Recommendations For Go versions 1.12.0 through 1.12.9, update to version 1.12.10 or later. For Go versions 1.13.0 through 1.13.0, update to version 1.13.1 or later. As a temporary workaround, consider restricting the use of the net/http package until a patch is available. Avoid using the net/textproto package in the affected API endpoints until the issue is resolved.