PT-2024-5886 · Go+11 · Go+11

Geoff Franks

Published

2024-07-02

Updated

2025-05-15

CVE-2024-24791

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.22.5

Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Recommendations Update to Go version 1.22.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/http/httputil.ReverseProxy proxy to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2024:6908

ALSA-2024:6913

ALSA-2024:6969

ALSA-2024:7349

ALSA-2024:9089

ALSA-2024:9097

ALSA-2024:9098

ALSA-2024:9115

ALSA-2024:9135

ALSA-2025:7256

ALT-PU-2024-11781

ALT-PU-2024-13971

ALT-PU-2024-9590

AZL-43068

AZL-78960

BDU:2024-06680

BIT-GOLANG-2024-24791

CESA-2024_6908

CESA-2024_6969

CESA-2024_7349

CVE-2024-24791

GO-2024-2963

INFSA-2024_6908

INFSA-2024_6913

INFSA-2024_6969

INFSA-2024_7349

INFSA-2024_9089

INFSA-2024_9097

INFSA-2024_9098

INFSA-2024_9102

INFSA-2024_9115

INFSA-2024_9135

INFSA-2025_7256

MGASA-2024-0261

OESA-2024-1952

OESA-2024-1978

OESA-2024-1979

OESA-2024-1980

OESA-2024-2059

OESA-2025-1052

OESA-2025-1053

OESA-2025-1054

OESA-2025-1055

OESA-2025-1056

OESA-2025-1057

OESA-2025-1058

OESA-2025-1059

OESA-2025-1184

OESA-2025-1185

OESA-2025-1224

OESA-2025-1451

OPENSUSE-SU-2024:14091-1

OPENSUSE-SU-2024:14098-1

OPENSUSE-SU-2024:14107-1

OPENSUSE-SU-2024:14198-1

OPENSUSE-SU-2024_2308-1

OPENSUSE-SU-2024_3089-1

OPENSUSE-SU-2024_3755-1

RHSA-2024:10133

RHSA-2024:6908

RHSA-2024:6912

RHSA-2024:6913

RHSA-2024:6914

RHSA-2024:6969

RHSA-2024:7349

RHSA-2024:9089

RHSA-2024:9097

RHSA-2024:9098

RHSA-2024:9102

RHSA-2024:9115

RHSA-2024:9135

RHSA-2024_6908

RHSA-2024_6913

RHSA-2024_6969

RHSA-2024_7349

RHSA-2024_9089

RHSA-2024_9097

RHSA-2024_9098

RHSA-2024_9102

RHSA-2024_9115

RHSA-2024_9135

RHSA-2025:7256

RHSA-2025_7256

RLSA-2024:6908

RLSA-2024:6913

RLSA-2024:7349

RLSA-2024:9102

RLSA-2024:9135

SUSE-SU-2024:2294-1

SUSE-SU-2024:2295-1

SUSE-SU-2024:2308-1

SUSE-SU-2024:2309-1

SUSE-SU-2024:3089-1

SUSE-SU-2024:3360-1

SUSE-SU-2024:3755-1

SUSE-SU-2024:3772-1

SUSE-SU-2024:3938-1

SUSE-SU-2024_2294-1

SUSE-SU-2024_2295-1

SUSE-SU-2024_2308-1

SUSE-SU-2024_2309-1

USN-7081-1

USN-7109-1

USN-7111-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2024-5886 · Go+11 · Go+11

CVE-2024-24791

Weakness Enumeration

Related Identifiers

Affected Products

References · 273