The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Red Hat OpenShift Service Mesh 3.0 | RedHat | registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:sha256:3a7f9a4d81b0c801a045b93d5fc0ea3f6bd051f6badf4dc1ec8d812a348d98e5 | * |
Golang-1.23 | Ubuntu | upstream | * |
Golang-1.24 | Ubuntu | upstream | * |