golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion

Overview

Source
ID
GHSA-h86h-8ppg-mxmh
Aliases
BIT-golang-2021-31525
CVE-2021-31525
GO-2022-0236
Affected package

Description

golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Summary

70.46k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
9.63k
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
5.35%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.0.0-20210428140749-89ef3d95e781
Patched/Unaffected
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
Affected