Go HTTP Client Host Header Injection Vulnerability
CVE-2023-29406 Published on July 11, 2023

Insufficient sanitization of Host header in net/http
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

NVD

Products Associated with CVE-2023-29406

stack.watch emails you whenever new vulnerabilities are published in GoLang Go or Canonical Ubuntu Linux. Just hit a watch button to start following.

GoLang Go

Canonical Ubuntu Linux

Affected Versions

Go standard library net/http:

Before 1.19.11 is affected.
Version 1.20.0-0 and below 1.20.6 is affected.

Exploit Probability

EPSS

0.24%

Percentile

46.38%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Go HTTP Client Host Header Injection VulnerabilityCVE-2023-29406 Published on July 11, 2023

Products Associated with CVE-2023-29406

Affected Versions

Exploit Probability

Go HTTP Client Host Header Injection Vulnerability
CVE-2023-29406 Published on July 11, 2023