{"id":"GO-2021-0226","summary":"Cross-site scripting in net/http/cgi and net/http/fcgi","details":"When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.\n\nThe Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.\n\nAlthough this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.","aliases":["BIT-golang-2020-24553","CVE-2020-24553"],"modified":"2026-03-17T04:06:02.983584Z","published":"2022-01-13T03:44:58Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0226","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/252179"},{"type":"FIX","url":"https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs"},{"type":"REPORT","url":"https://go.dev/issue/40928"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.8"},{"introduced":"1.15.0-0"},{"fixed":"1.15.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["response.Write","response.WriteHeader","response.writeCGIHeader"],"path":"net/http/cgi"},{"symbols":["response.Write","response.WriteHeader","response.writeCGIHeader"],"path":"net/http/fcgi"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0226.json"}}],"schema_version":"1.7.5","credits":[{"name":"RedTeam Pentesting GmbH"}]}