CVE-2019-9741 in Google
Summary
by MITRE
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/21/2025
The vulnerability identified as CVE-2019-9741 represents a critical server-side request forgery and CRLF injection flaw within the Go programming language's standard library. This issue specifically affects the net/http package in Go version 1.11.5 and earlier versions, where improper handling of user-controllable input parameters creates opportunities for attackers to inject malicious content into HTTP requests. The vulnerability manifests when an attacker can control a URL parameter that gets passed directly to the http.NewRequest function, enabling the insertion of carriage return and line feed characters that can manipulate HTTP headers or command sequences.
The technical exploitation of this vulnerability stems from insufficient input validation and sanitization within the HTTP request construction process. When developers pass user-provided parameters directly into the http.NewRequest function without proper sanitization, the Go runtime fails to properly escape or validate special characters including carriage return characters. This creates a condition where attackers can inject CRLF sequences that alter the HTTP request structure, potentially allowing them to manipulate headers, inject additional commands, or redirect requests to unintended destinations. The vulnerability is particularly dangerous because it can be exploited through URL parameters, making it accessible via standard web application interfaces and API endpoints.
The operational impact of CVE-2019-9741 extends beyond simple header manipulation to encompass broader security implications including potential data exfiltration, request smuggling, and cache poisoning attacks. Attackers could leverage this vulnerability to bypass authentication mechanisms, inject malicious headers that alter request behavior, or even craft requests that appear to come from trusted sources. The vulnerability aligns with CWE-113, which specifically addresses improper neutralization of CRLF sequences, and maps to ATT&CK technique T1071.004 for application layer protocol manipulation. Organizations running Go applications that process user input through HTTP request construction are at risk of having their web services compromised, potentially leading to unauthorized access to backend systems or data breaches.
Mitigation strategies for this vulnerability require immediate patching of affected Go versions to 1.11.6 or later, which includes the necessary input validation fixes. Additionally, developers should implement comprehensive input sanitization practices, including the validation and escaping of all user-controllable parameters before they are used in HTTP request construction. Organizations should also consider implementing web application firewalls and input validation layers that can detect and block suspicious CRLF sequences. The fix addresses the root cause by ensuring that HTTP headers and URL parameters are properly sanitized, preventing the injection of malicious carriage return and line feed characters that could alter HTTP request behavior. Security teams should conduct thorough code reviews to identify all instances where user input is directly passed to HTTP request functions, ensuring that proper validation and sanitization measures are in place to prevent similar vulnerabilities from occurring in the future.