How serious is CVE-2022-32148?

This vulnerability has a CVSS score of 6.5 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2022-32148?

Yes, proof-of-concept exploit code for CVE-2022-32148 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2022-32148?

CVE-2022-32148 affects golang go. Check the full CVE details for specific version information.

How do I fix CVE-2022-32148?

To remediate CVE-2022-32148, check for security patches from golang. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2022-32148

Medium

|6.5

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to manipulate the X-Forwarded-For header, potentially exposing the true client IP address when using the Go ReverseProxy feature. It occurs if the header is set to a nil value, which can happen in certain configurations before specific versions of Go are used.

Technical Description

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactLow

Integrity ImpactLow

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$931($500-$1K)

Vendor Response

Grade FPatched in 1304 days

Quick Information

Published

Aug 10, 2022

over 3 years ago

Last Modified

Mar 6, 2026

about 1 month ago

Vendor

golang

Product

Related Vulnerabilities

CVE-2022-30635High

An attacker can cause a program using certain versions of Go to crash by sending it a message with deeply nested data structures, which overwhelms the system's memory. This vulnerability requires the attacker to be able to send specially crafted messages to the affected application.

CVE-2022-30633High

An attacker can crash a Go application by sending a specially crafted XML document that causes excessive nesting in the data structure being processed. This vulnerability affects versions of Go before 1.17.12 and 1.18.4, and it requires the application to use the 'any' field tag in its data structures.

CVE-2022-30630High

An attacker can crash a Go application by sending it a specially crafted file path with many separators, which causes the program to run out of memory and stop working. This issue affects versions of Go before 1.17.12 and 1.18.4, so using an outdated version increases the risk.

CVE-2022-30629Low

This vulnerability allows an attacker to track users' connections by observing the ages of session tickets during secure connections, which can help them link multiple sessions together. However, the attacker needs to be able to watch the TLS handshakes happening between the user and the server to exploit this weakness.

CVE-2022-30580High

This vulnerability allows an attacker to execute malicious binaries in the working directory if they are named with the extensions "..com" or "..exe" when certain commands are run without specifying a path. This can happen in specific versions of Go when using functions that start or run commands, making it crucial for users to ensure they set the command path properly to avoid exploitation.