Gragdoll

**Name of the Vulnerable Software and Affected Versions** Go version 1.11.5 **Description** An issue was discovered in the net/http package of Go, where CRLF injection is possible if the attacker controls a `url` parameter. This is demonstrated by the second argument to `http.NewRequest` with `r ` followed by an HTTP header or a Redis command. **Recommendations** For Go version 1.11.5, consider restricting the use of the `http.NewRequest` function with user-controlled `url` parameters until a patch is available. As a temporary workaround, avoid using the `http.NewRequest` function with `r ` followed by an HTTP header or a Redis command. At the moment, there is no information about a newer version that contains a fix for this vulnerability.