PT-2022-21118 · Go+9 · Go+9

Christian Mehlmauer

Published

2022-07-12

Updated

2026-03-06

CVE-2022-32148

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.17.12 Go versions prior to 1.18.4

Description The issue is related to the improper exposure of client IP addresses. This can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header. As a result, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation.

Recommendations For Go versions prior to 1.17.12, update to Go 1.17.12 or later to resolve the issue. For Go versions prior to 1.18.4, update to Go 1.18.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of a nil value for the X-Forwarded-For header in the Request.Header map when calling httputil.ReverseProxy.ServeHTTP.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALSA-2022:5775

ALSA-2022:5799

ALSA-2022:7129

ALSA-2022:7519

ALSA-2022:7529

ALSA-2022:7648

ALSA-2022:8057

ALSA-2022:8250

ALSA-2023:2357

ALSA-2023:2758

ALSA-2023:2802

ALT-PU-2022-2310

ALT-PU-2022-2316

ALT-PU-2022-2873

ALT-PU-2023-1205

AZL-10538

AZL-79054

BIT-GOLANG-2022-32148

CESA-2022_5775

CESA-2022_7129

CESA-2022_7519

CESA-2022_7529

CESA-2022_7648

CESA-2023_2758

CESA-2023_2802

CVE-2022-32148

GO-2022-0520

MGASA-2022-0262

OESA-2022-1783

OESA-2024-1105

OESA-2024-1198

OESA-2024-1250

OESA-2025-1185

OPENSUSE-SU-2022_2671-1

OPENSUSE-SU-2022_2672-1

OPENSUSE-SU-2024:12189-1

OPENSUSE-SU-2024:12190-1

RHSA-2022:5775

RHSA-2022:5799

RHSA-2022:5866

RHSA-2022:6042

RHSA-2022:6113

RHSA-2022:7129

RHSA-2022:7398

RHSA-2022:7519

RHSA-2022:7529

RHSA-2022:7648

RHSA-2022:8057

RHSA-2022:8250

RHSA-2022:8626

RHSA-2022_5775

RHSA-2022_5799

RHSA-2022_7129

RHSA-2022_7519

RHSA-2022_7529

RHSA-2022_7648

RHSA-2022_8057

RHSA-2022_8250

RHSA-2023:0407

RHSA-2023:1275

RHSA-2023:2357

RHSA-2023:2758

RHSA-2023:2802

RHSA-2023_2357

RHSA-2023_2758

RHSA-2023_2802

RLSA-2022:5775

RLSA-2022:5799

RLSA-2022:7129

RLSA-2022:7519

RLSA-2022:7529

RLSA-2022:7648

RLSA-2022:8057

RLSA-2022:8250

SUSE-SU-2022:2671-1

SUSE-SU-2022:2672-1

SUSE-SU-2023:2312-1

USN-6038-1

USN-6038-2

Affected Products

Alt Linux

Almalinux

Centos

Debian

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

PT-2022-21118 · Go+9 · Go+9

CVE-2022-32148

Related Identifiers

Affected Products

References · 290