{"api_version":"1","generated_at":"2026-04-23T00:59:31+00:00","cve":"CVE-2022-2880","urls":{"html":"https://cve.report/CVE-2022-2880","api":"https://cve.report/api/cve/CVE-2022-2880.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-2880","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-2880"},"summary":{"title":"CVE-2022-2880","description":"Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2022-10-14 15:15:00","updated_at":"2023-11-25 11:15:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THKJHFMX4DAZXJ5MFPN3BNHZDN7BW5RI/","name":"FEDORA-2022-59a20edab2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: golang-1.19.2-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/54663","name":"https://go.dev/issue/54663","refsource":"MISC","tags":[],"title":"net/http/httputil: ReverseProxy should not forward unparseable query parameters · Issue #54663 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oxeye.io/blog/golang-parameter-smuggling-attack","name":"https://www.oxeye.io/blog/golang-parameter-smuggling-attack","refsource":"MISC","tags":[],"title":"“ParseThru” – Exploiting HTTP Parameter Smuggling in Golang","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://go.dev/cl/432976","name":"https://go.dev/cl/432976","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU","name":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU","refsource":"MISC","tags":[],"title":"[security] Go 1.19.2 and Go 1.18.7 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pkg.go.dev/vuln/GO-2022-1038","name":"https://pkg.go.dev/vuln/GO-2022-1038","refsource":"MISC","tags":[],"title":"GO-2022-1038 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-2880","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2880","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"2880","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"2880","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-2880","qid":"160322","title":"Oracle Enterprise Linux Security Update for ol8addon (ELSA-2022-24267)"},{"cve":"CVE-2022-2880","qid":"160414","title":"Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-0328)"},{"cve":"CVE-2022-2880","qid":"160440","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-0446)"},{"cve":"CVE-2022-2880","qid":"160499","title":"Oracle Enterprise Linux Security Update for ol8addon (ELSA-2023-18908)"},{"cve":"CVE-2022-2880","qid":"160582","title":"Oracle Enterprise Linux Security Update for git-lfs (ELSA-2023-2357)"},{"cve":"CVE-2022-2880","qid":"160609","title":"Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2204)"},{"cve":"CVE-2022-2880","qid":"160619","title":"Oracle Enterprise Linux Security Update for grafana security and enhancement update (ELSA-2023-2167)"},{"cve":"CVE-2022-2880","qid":"160655","title":"Oracle Enterprise Linux Security Update for grafana (ELSA-2023-2784)"},{"cve":"CVE-2022-2880","qid":"160663","title":"Oracle Enterprise Linux Security Update for git-lfs (ELSA-2023-2866)"},{"cve":"CVE-2022-2880","qid":"160666","title":"Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2780)"},{"cve":"CVE-2022-2880","qid":"161289","title":"Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2024-0121)"},{"cve":"CVE-2022-2880","qid":"184637","title":"Debian Security Update for golang-1.19 (CVE-2022-2880)"},{"cve":"CVE-2022-2880","qid":"199304","title":"Ubuntu Security Notification for Go Vulnerabilities (USN-6038-1)"},{"cve":"CVE-2022-2880","qid":"241070","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)"},{"cve":"CVE-2022-2880","qid":"241106","title":"Red Hat Update for go-toolset and golang (RHSA-2023:0328)"},{"cve":"CVE-2022-2880","qid":"241132","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2023:0446)"},{"cve":"CVE-2022-2880","qid":"241187","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)"},{"cve":"CVE-2022-2880","qid":"241268","title":"Red Hat Update for multiple OpenStack Platforms (RHSA-2023:1275)"},{"cve":"CVE-2022-2880","qid":"241424","title":"Red Hat Update for image builder security (RHSA-2023:2204)"},{"cve":"CVE-2022-2880","qid":"241453","title":"Red Hat Update for grafana (RHSA-2023:2167)"},{"cve":"CVE-2022-2880","qid":"241467","title":"Red Hat Update for git-lfs (RHSA-2023:2357)"},{"cve":"CVE-2022-2880","qid":"241485","title":"Red Hat Update for grafana (RHSA-2023:2784)"},{"cve":"CVE-2022-2880","qid":"241490","title":"Red Hat Update for image builder security (RHSA-2023:2780)"},{"cve":"CVE-2022-2880","qid":"241520","title":"Red Hat Update for git-lfs (RHSA-2023:2866)"},{"cve":"CVE-2022-2880","qid":"241747","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)"},{"cve":"CVE-2022-2880","qid":"242882","title":"Red Hat Update for container-tools:4.0 (RHSA-2024:0121)"},{"cve":"CVE-2022-2880","qid":"354890","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2015"},{"cve":"CVE-2022-2880","qid":"355216","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-175"},{"cve":"CVE-2022-2880","qid":"356304","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-002"},{"cve":"CVE-2022-2880","qid":"378046","title":"Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2023:0028)"},{"cve":"CVE-2022-2880","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2022-2880","qid":"378652","title":"Alibaba Cloud Linux Security Update for git-lfs (ALINUX3-SA-2023:0071)"},{"cve":"CVE-2022-2880","qid":"378707","title":"Alibaba Cloud Linux Security Update for grafana (ALINUX3-SA-2023:0075)"},{"cve":"CVE-2022-2880","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2022-2880","qid":"502529","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2022-2880","qid":"502859","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2022-2880","qid":"672413","title":"EulerOS Security Update for golang (EulerOS-SA-2022-2795)"},{"cve":"CVE-2022-2880","qid":"672476","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1035)"},{"cve":"CVE-2022-2880","qid":"672519","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1010)"},{"cve":"CVE-2022-2880","qid":"672528","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1100)"},{"cve":"CVE-2022-2880","qid":"672533","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1124)"},{"cve":"CVE-2022-2880","qid":"672621","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1385)"},{"cve":"CVE-2022-2880","qid":"672650","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1357)"},{"cve":"CVE-2022-2880","qid":"672761","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1505)"},{"cve":"CVE-2022-2880","qid":"690952","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (854c2afb-4424-11ed-af97-adcabf310f9b)"},{"cve":"CVE-2022-2880","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2022-2880","qid":"753218","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2022:3669-1)"},{"cve":"CVE-2022-2880","qid":"753359","title":"SUSE Enterprise Linux Security Update for go1.18 (SUSE-SU-2022:3668-1)"},{"cve":"CVE-2022-2880","qid":"754047","title":"SUSE Enterprise Linux Security Update for go1.18-openssl (SUSE-SU-2023:2312-1)"},{"cve":"CVE-2022-2880","qid":"770172","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)"},{"cve":"CVE-2022-2880","qid":"770176","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)"},{"cve":"CVE-2022-2880","qid":"770197","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)"},{"cve":"CVE-2022-2880","qid":"904230","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11155)"},{"cve":"CVE-2022-2880","qid":"904255","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129)"},{"cve":"CVE-2022-2880","qid":"907517","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129-1)"},{"cve":"CVE-2022-2880","qid":"907753","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11155-1)"},{"cve":"CVE-2022-2880","qid":"907855","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129-2)"},{"cve":"CVE-2022-2880","qid":"908054","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129-4)"},{"cve":"CVE-2022-2880","qid":"940905","title":"AlmaLinux Security Update for go-toolset and golang (ALSA-2023:0328)"},{"cve":"CVE-2022-2880","qid":"940911","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:0446)"},{"cve":"CVE-2022-2880","qid":"941046","title":"AlmaLinux Security Update for grafana (ALSA-2023:2167)"},{"cve":"CVE-2022-2880","qid":"941053","title":"AlmaLinux Security Update for git-lfs (ALSA-2023:2357)"},{"cve":"CVE-2022-2880","qid":"941063","title":"AlmaLinux Security Update for Image (ALSA-2023:2204)"},{"cve":"CVE-2022-2880","qid":"941104","title":"AlmaLinux Security Update for grafana (ALSA-2023:2784)"},{"cve":"CVE-2022-2880","qid":"941108","title":"AlmaLinux Security Update for git-lfs (ALSA-2023:2866)"},{"cve":"CVE-2022-2880","qid":"941118","title":"AlmaLinux Security Update for Image (ALSA-2023:2780)"},{"cve":"CVE-2022-2880","qid":"941535","title":"AlmaLinux Security Update for container-tools:4.0 (ALSA-2024:0121)"},{"cve":"CVE-2022-2880","qid":"960489","title":"Rocky Linux Security Update for go-toolset and golang (RLSA-2023:0328)"},{"cve":"CVE-2022-2880","qid":"960609","title":"Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2023:0446)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-2880","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-444: Inconsistent Interpretation of HTTP Requests"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go standard library","product":{"product_data":[{"product_name":"net/http/httputil","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.18.7"},{"version_affected":"<","version_name":"1.19.0-0","version_value":"1.19.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/54663","refsource":"MISC","name":"https://go.dev/issue/54663"},{"url":"https://go.dev/cl/432976","refsource":"MISC","name":"https://go.dev/cl/432976"},{"url":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"},{"url":"https://pkg.go.dev/vuln/GO-2022-1038","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2022-1038"}]},"credits":[{"lang":"en","value":"Gal Goldstein (Security Researcher, Oxeye)"},{"lang":"en","value":"Daniel Abeles (Head of Research, Oxeye)"}]},"nvd":{"publishedDate":"2022-10-14 15:15:00","lastModifiedDate":"2023-11-25 11:15:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.19.0","versionEndExcluding":"1.19.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.18.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}