CVE-2016-5386

EPSS 45.9%

Improper input validation in net/http and net/http/cgi

Published: 8/9/2022Modified: 5/20/2024

Description

An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests. This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. Read more about "httpoxy" here: https://httpoxy.org.

Affected packages (1)

Go/stdlibfrom 0, < 1.6.3

References (4)

PATCHhttps://go.dev/cl/25010
PATCHhttps://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223
REPORThttps://go.dev/issue/16405
WEBhttps://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ