Net/http

This hub aggregates every CVE we track for Net/http, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Net/http.

• CVE-2026-33814Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net7.5May 7, 2026
• CVE-2025-58186Lack of limit when parsing cookies can cause memory exhaustion in net/http5.3Oct 29, 2025
• CVE-2025-47910CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http5.4Sep 22, 2025
• CVE-2025-4673Sensitive headers not cleared on cross-origin redirect in net/http6.8Jun 11, 2025
• CVE-2025-22870HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net4.4Mar 12, 2025
• CVE-2024-45336Sensitive headers incorrectly sent after cross-domain redirect in net/http6.1Jan 28, 2025
• CVE-2024-24791Denial of service due to improper 100-continue handling in net/http7.5Jul 2, 2024
• CVE-2023-45288HTTP/2 CONTINUATION flood in net/http7.5Apr 4, 2024
• CVE-2023-45289Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http4.3Mar 5, 2024
• CVE-2023-39325HTTP/2 rapid reset can cause excessive work in net/http7.5Oct 11, 2023
• CVE-2023-29406Insufficient sanitization of Host header in net/http6.5Jul 11, 2023
• CVE-2022-41723Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net7.5Feb 28, 2023
• CVE-2022-41717Excessive memory growth in net/http and golang.org/x/net/http25.3Dec 8, 2022
• CVE-2022-41720Restricted file access on Windows in os and net/http7.5Dec 7, 2022
• CVE-2022-32148Exposure of client IP addresses in net/http6.5Aug 9, 2022