Insufficient sanitization of Host header in net/http

GO-2023-1878 · BIT-golang-2023-29406 · CVE-2023-29406

Published Jul 11, 2023 · Modified Feb 4, 2026

Description

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests.

With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

References

REPORT https://go.dev/issue/60374
FIX https://go.dev/cl/506996
WEB https://groups.google.com/g/golang-announce/c/2q13H6LEEx0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes