CVE-2022-32148

Published: August 31, 2023Last modified: July 22, 2025

Description

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.

Severity score breakdown

Parameter	Value
Base score	6.5
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	LOW
Integrity impact	LOW
Availability impact	NONE
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	go	Not affected (1.19.9-r1)
Alpaquita Linux	Stream	go	Not affected (1.21.0-r2)
Hardened Containers	23 LTS	go	Not affected (1.19.9-r1)
Hardened Containers	Stream	go	Not affected (1.21.0-r2)

References

https://go.dev/cl/412857
https://go.dev/issue/53423
https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
https://pkg.go.dev/vuln/GO-2022-0520