http package, versions <1.4.3

Q: How to fix?

Upgrade std/net/http to version 1.4.3 or higher.

Threat Intelligence

19.21% (96^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-STDNETHTTP-14548602
published6 Jan 2026
disclosed5 Jan 2022
creditJed Denlea, Régis Leroy

Report a new vulnerability Found a mistake?

Introduced: 5 Jan 2022

CVE-2015-5739 (opens in a new tab) CWE-444 (opens in a new tab)

How to fix?

Upgrade std/net/http to version 1.4.3 or higher.

Overview

std/net/http is a Go standard library package std/net/http

Affected versions of this package are vulnerable to HTTP Request Smuggling.

Go Vulnerability Report:
HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None