How serious is CVE-2022-1705?

This vulnerability has a CVSS score of 6.5 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2022-1705?

Yes, proof-of-concept exploit code for CVE-2022-1705 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2022-1705?

CVE-2022-1705 affects golang go. Check the full CVE details for specific version information.

How do I fix CVE-2022-1705?

To remediate CVE-2022-1705, check for security patches from golang. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2022-1705

Medium

|6.5

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to sneak malicious requests past a server by exploiting certain invalid headers in HTTP requests, but it only works if there’s an intermediate server that also fails to properly reject those headers. To be successful, the attacker needs to carefully craft the requests and rely on the misconfiguration of the servers involved.

Technical Description

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactLow

Integrity ImpactLow

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$931($500-$1K)

Vendor Response

Grade FPatched in 1303 days

Quick Information

Published

Aug 10, 2022

over 3 years ago

Last Modified

Mar 6, 2026

about 1 month ago

Vendor

golang

Product

Related Vulnerabilities

CVE-2022-32148Medium

This vulnerability allows an attacker to manipulate the X-Forwarded-For header, potentially exposing the true client IP address when using the Go ReverseProxy feature. It occurs if the header is set to a nil value, which can happen in certain configurations before specific versions of Go are used.

CVE-2022-30635High

An attacker can cause a program using certain versions of Go to crash by sending it a message with deeply nested data structures, which overwhelms the system's memory. This vulnerability requires the attacker to be able to send specially crafted messages to the affected application.

CVE-2022-30633High

An attacker can crash a Go application by sending a specially crafted XML document that causes excessive nesting in the data structure being processed. This vulnerability affects versions of Go before 1.17.12 and 1.18.4, and it requires the application to use the 'any' field tag in its data structures.

CVE-2022-30630High

An attacker can crash a Go application by sending it a specially crafted file path with many separators, which causes the program to run out of memory and stop working. This issue affects versions of Go before 1.17.12 and 1.18.4, so using an outdated version increases the risk.

CVE-2022-30629Low

This vulnerability allows an attacker to track users' connections by observing the ages of session tickets during secure connections, which can help them link multiple sessions together. However, the attacker needs to be able to watch the TLS handshakes happening between the user and the server to exploit this weakness.