net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| golang.org/x/net(Go) | 0 | 0.0.0-20210428140749-89ef3d95e781 | N/A |
CVSS Metrics
