CVE-2023-29406: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted...

The vulnerability CVE-2023-29406 concerns the Go net/http client's failure to fully validate the Host header, allowing injection of headers or entire requests. I analyzed the information from https://pkg.go.dev/vuln/GO-2023-1878 and manually inspected the patch details from the Gerrit CL https://go-review.googlesource.com/c/go/+/506996/ (commit 236b1804397317a3ebf1d58394dfd69801900102). The patch introduces validation for Request.Host and Request.URL.Host in key functions responsible for writing and sending HTTP requests. The vulnerable functions are those that previously processed these fields without the now-added validation. Specifically, Request.Write and Request.WriteProxy are directly involved in serializing the request, including the Host header. Transport.roundTrip is the high-level function in the transport layer that orchestrates sending the request and now incorporates these checks. The absence of these checks in these functions prior to the patch constituted the vulnerability.