CVE-2021-31525

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.15.12 Go versions 1.16.x prior to 1.16.4

Description The issue allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. A malicious HTTP server or client can cause the net/http client or server to panic. ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header.

Recommendations For Go versions prior to 1.15.12, update to version 1.15.12 or later to resolve the issue. For Go versions 1.16.x prior to 1.16.4, update to version 1.16.4 or later to resolve the issue. As a temporary workaround, consider setting Server.MaxHeaderBytes to a lower value to minimize the risk of exploitation. Restrict access to the Transport and Client components to minimize the risk of exploitation. Avoid using the ReadRequest and ReadResponse functions with large headers until the issue is resolved.