Medium severity5.9NVD Advisory· Published May 27, 2021· Updated Jun 17, 2026
CVE-2021-31525
CVE-2021-31525
Description
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.0.0-20210428140749-89ef3d95e781 | 0.0.0-20210428140749-89ef3d95e781 |
Affected products
23- Go/Godescription
- osv-coords22 versionspkg:apk/chainguard/grpcurlpkg:apk/chainguard/heypkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/chainguard/terraform-provider-sendgridpkg:apk/chainguard/terraform-provider-sendgrid-fipspkg:apk/wolfi/grpcurlpkg:apk/wolfi/heypkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:apk/wolfi/terraform-provider-sendgridpkg:bitnami/golangpkg:golang/golang.org/x/netpkg:rpm/opensuse/go1.15&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/go1.15&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.16&distro=openSUSE%20Tumbleweedpkg:rpm/suse/go1.15&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/go1.15&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/go1.16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/go1.16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3
< 1.8.7-r7+ 21 more
- (no CPE)range: < 1.8.7-r7
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.8.7-r7
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.15.12
- (no CPE)range: < 0.0.0-20210428140749-89ef3d95e781
- (no CPE)range: < 1.15.12-lp152.17.1
- (no CPE)range: < 1.15.15-1.2
- (no CPE)range: < 1.16.8-1.1
- (no CPE)range: < 1.15.12-1.30.1
- (no CPE)range: < 1.15.12-1.30.1
- (no CPE)range: < 1.16.4-1.14.2
- (no CPE)range: < 1.16.4-1.14.2
Patches
Vulnerability mechanics
References
11- github.com/golang/go/issues/45710nvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-h86h-8ppg-mxmhghsaADVISORY
- groups.google.com/g/golang-announce/c/cu9SP4eSXMcnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-31525ghsaADVISORY
- security.gentoo.org/glsa/202208-02nvdThird Party AdvisoryWEB
- go.dev/cl/313069ghsaWEB
- go.dev/issue/45710ghsaWEB
- go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBFghsaWEB
- pkg.go.dev/vuln/GO-2022-0236ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF/nvd
News mentions
0No linked articles in our index yet.