CVE-2024-24791

Published: Jul 2, 2024

Modified: Oct 4, 2024

PUBLISHED

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Vendor	Product	Versions
Go standard library	net/http	affected `0 - < 1.21.12` affected `1.22.0-0 - < 1.22.5`

References

https://go.dev/cl/591255

https://go.dev/issue/67555

https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ

https://pkg.go.dev/vuln/GO-2024-2963

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-24791

Description

Affected Products

References