{"id":"AZL-43068","summary":"CVE-2024-24791 affecting package golang for versions less than 1.22.5-1","details":"The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.","modified":"2026-04-01T05:14:58.778371Z","published":"2024-07-02T22:15:04Z","upstream":["CVE-2024-24791"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24791"}],"affected":[{"package":{"name":"golang","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/golang"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.22.5-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-43068.json"}}],"schema_version":"1.7.5"}