A security issue has been found in Go before version 1.16.4. ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
A security issue has been found in Go before version 1.16.4. ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc https://github.com/golang/go/issues/45710 https://github.com/golang/net/commit/89ef3d95e781148a0951956029c92a211477f7f9 https://github.com/golang/go/commit/d4adea20f01627098936e050d3a73922f7ebe08f
Vulmon