vulnerability
FreeBSD: VID-a92dcc5c-e05c-11e9-b589-10c37b4ac2ea (CVE-2019-16276): go -- invalid headers are normalized, allowing request smuggling
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Sep 26, 2019 | Sep 29, 2019 | Dec 10, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Sep 26, 2019
Added
Sep 29, 2019
Modified
Dec 10, 2025
Description
The Go project reports: net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.
Solutions
freebsd-upgrade-package-gofreebsd-upgrade-package-go-devel
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.