Filosottile

**Name of the Vulnerable Software and Affected Versions** Go versions 1.12.0 through 1.12.9 Go versions 1.13.0 through 1.13.0 **Description** The issue is related to inconsistent interpretation of HTTP requests. This can be exploited by a remote attacker to impact data integrity. Specifically, the `net/http` package used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, violating RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently, leading to filter bypasses or request smuggling. **Recommendations** For Go versions 1.12.0 through 1.12.9, update to version 1.12.10 or later. For Go versions 1.13.0 through 1.13.0, update to version 1.13.1 or later. As a temporary workaround, consider restricting the use of the `net/http` package until a patch is available. Avoid using the `net/textproto` package in the affected API endpoints until the issue is resolved.