CVE-2021-31525
published 2021-05-27CVE-2021-31525: net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or…
PriorityP428medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
3.69%
88.3th percentile
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.9-2 (bullseye) | golang-1.15 1.15.9-2 (bullseye) |
| debian | golang-golang-x-net | < golang-1.15 1.15.9-2 (bullseye) | golang-1.15 1.15.9-2 (bullseye) |
| fedoraproject | fedora | — | — |
| golang.org | x_net | >= 0 < 0.0.0-20210428140749-89ef3d95e781 | 0.0.0-20210428140749-89ef3d95e781 |
| golang | go | < 1.15.12 | 1.15.12 |
| golang | go | >= 1.16.0 < 1.16.4 | 1.16.4 |
| msrc | cm1_golang_1.15.13-1_on_cbl_mariner_1.0 | — | — |
| paloalto | pan-os | — | — |
| redhat | openshift_serverless | < 1.17.0 | 1.17.0 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:N/A:P
osv5.9MEDIUM
vendor_redhat7.5HIGH
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Red Hat
serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
vendor_redhat·2021-09-13·CVSS 7.5
CVE-2021-3703 [HIGH] serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1.16.0 and Serverless client kn 1.16.0. These have been fixed with Serverless 1.17.0.
CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed for Serverless 1.16.0 and Serverless client kn 1.16.0.
Statement: The flaw is moderate as the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 are moderate. The score is assigned as per the highest score given in CVE-2021-27918 and CVE-2021-33196.
Package: knative-eventing (OpenShift Serverless) - Not affected
Package: knative-serving (OpenShift Serverless) - Not affected
Red Hat
serverless: incomplete fix of CVE-2021-31525
vendor_redhat·2021-08-18·CVSS 5.9
CVE-2021-23161 [MEDIUM] CWE-477 serverless: incomplete fix of CVE-2021-31525
serverless: incomplete fix of CVE-2021-31525
[REJECTED CVE] A version of golang that is affected by CVE-2021-31525 was incorrectly shipped in the Red Hat Serverless 1.16.0 release.
Statement: This flaw was found to be a duplicate of CVE-2021-3703. Please see https://access.redhat.com/security/cve/CVE-2021-3703 for information about affected products and security errata.
Package: golang (OpenShift Serverless) - Affected
Microsoft
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server Transport and Client can e
vendor_msrc·2021-05-11·CVSS 5.9
CVE-2021-31525 [MEDIUM] CWE-674 net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server Transport and Client can e
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server Transport and Client can each be affected in some configurations.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional pro
Red Hat
golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
vendor_redhat·2021-04-22·CVSS 5.9
CVE-2021-31525 [MEDIUM] CWE-770 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
A vulnerability was detected in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however, servers are only vulnerable if the value of MaxHeaderBytes has been increased from the default.
Statement: This vulnerability potentially affects any component written in Go that uses net/http from the standard library. In OpenS
Debian
CVE-2021-31525: golang-1.15 - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers t...
vendor_debian·2021·CVSS 5.9
CVE-2021-31525 [MEDIUM] CVE-2021-31525: golang-1.15 - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers t...
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Scope: local
bullseye: resolved (fixed in 1.15.9-2)
GHSA
GHSA-x358-pmcq-q2x3: It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1
ghsa_unreviewed·2022-08-27·CVSS 7.5
CVE-2021-3703 [HIGH] GHSA-x358-pmcq-q2x3: It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1.16.0 and Serverless client kn 1.16.0. These have been fixed with Serverless 1.17.0.
OSV
Panic due to large headers in net/http and golang.org/x/net/http/httpguts
osv·2022-07-15
CVE-2021-31525 Panic due to large headers in net/http and golang.org/x/net/http/httpguts
Panic due to large headers in net/http and golang.org/x/net/http/httpguts
A malicious HTTP server or client can cause the net/http client or server to panic.
ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
GHSA
golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion
ghsa·2022-05-24
CVE-2021-31525 [MEDIUM] CWE-674 golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion
golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion
golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
OSV
golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion
osv·2022-05-24
CVE-2021-31525 [MEDIUM] golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion
golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion
golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
OSV
CVE-2021-31525: net/http in Go before 1
osv·2021-05-27·CVSS 5.9
CVE-2021-31525 [MEDIUM] CVE-2021-31525: net/http in Go before 1
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/golang/go/issues/45710https://groups.google.com/g/golang-announce/c/cu9SP4eSXMchttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF/https://security.gentoo.org/glsa/202208-02https://github.com/golang/go/issues/45710https://groups.google.com/g/golang-announce/c/cu9SP4eSXMchttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF/https://security.gentoo.org/glsa/202208-02
2021-05-27
Published