CVE-2022-1705

Published: Aug 10, 2022Modified: Mar 6, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

Affected (2)

Products: Golang: Go

Golang

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.17.12
Golang Go	From 1.18.0 to 1.18.4

Related CWEs

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References (12)

https://go.dev/cl/409874

Source: security@golang.org

PatchVendor Advisory

https://go.dev/cl/410714

Source: security@golang.org

PatchVendor Advisory

https://go.dev/issue/53188

Source: security@golang.org

ExploitIssue TrackingPatchVendor Advisory

https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f

Source: security@golang.org

PatchVendor Advisory

https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

Source: security@golang.org

Release NotesVendor Advisory

https://pkg.go.dev/vuln/GO-2022-0525

Source: security@golang.org

Vendor Advisory

https://go.dev/cl/409874