PT-2022-14059 · Go+9 · Go+9

Zeyu Zhang

Published

2022-07-12

Updated

2026-03-06

CVE-2022-1705

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.17.12 Go versions prior to 1.18.4

Description The issue arises from the acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http. This can lead to HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding.

Recommendations For Go versions prior to 1.17.12, update to version 1.17.12 or later. For Go versions prior to 1.18.4, update to version 1.18.4 or later.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2022:5775

ALSA-2022:5799

ALSA-2022:7129

ALSA-2022:7519

ALSA-2022:7529

ALSA-2022:7648

ALSA-2022:8057

ALSA-2022:8098

ALSA-2022:8250

ALSA-2023:2357

ALSA-2023:2758

ALSA-2023:2802

ALT-PU-2022-2310

ALT-PU-2022-2316

ALT-PU-2022-2873

ALT-PU-2023-1205

AZL-10529

AZL-79116

BIT-GOLANG-2022-1705

CESA-2022_5775

CESA-2022_7129

CESA-2022_7519

CESA-2022_7529

CESA-2022_7648

CESA-2023_2758

CESA-2023_2802

CVE-2022-1705

GO-2022-0525

MGASA-2022-0262

OESA-2022-1783

OPENSUSE-SU-2022_2671-1

OPENSUSE-SU-2022_2672-1

OPENSUSE-SU-2024:12189-1

OPENSUSE-SU-2024:12190-1

RHSA-2022:5068

RHSA-2022:5775

RHSA-2022:5799

RHSA-2022:5866

RHSA-2022:6042

RHSA-2022:6113

RHSA-2022:7129

RHSA-2022:7398

RHSA-2022:7519

RHSA-2022:7529

RHSA-2022:7648

RHSA-2022:8057

RHSA-2022:8098

RHSA-2022:8250

RHSA-2022:8626

RHSA-2022_5775

RHSA-2022_5799

RHSA-2022_7129

RHSA-2022_7519

RHSA-2022_7529

RHSA-2022_7648

RHSA-2022_8057

RHSA-2022_8098

RHSA-2022_8250

RHSA-2023:0407

RHSA-2023:1275

RHSA-2023:2357

RHSA-2023:2758

RHSA-2023:2802

RHSA-2023_2357

RHSA-2023_2758

RHSA-2023_2802

RLSA-2022:5775

RLSA-2022:5799

RLSA-2022:7129

RLSA-2022:7519

RLSA-2022:7529

RLSA-2022:7648

RLSA-2022:8057

RLSA-2022:8098

RLSA-2022:8250

SUSE-SU-2022:2671-1

SUSE-SU-2022:2672-1

SUSE-SU-2022_2671-1

SUSE-SU-2022_2672-1

SUSE-SU-2023:2312-1

SUSE-SU-2023_2312-1

USN-6038-1

USN-6038-2

Affected Products

Alt Linux

Almalinux

Centos

Debian

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

PT-2022-14059 · Go+9 · Go+9

CVE-2022-1705

Weakness Enumeration

Related Identifiers

Affected Products

References · 278