CVE-2023-29406: Go nethttp Host header risk and Azure Linux attestations

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable Go net/http code, but it is the only Microsoft product Microsoft has publicly attested so far as “including the implicated open‑source library and therefore potentially affected.” Microsoft’s wording is an inventory-level attestation for the Azure Linux distribution and a promise to expand machine‑readable attestations (CSAF/VEX) if additional Microsoft products are later identified. /archive.vn/2025.12.07-192241/https%3A/msrc.microsoft.com/update-guide/vulnerability/CVE-2025-22026)

---

Background / Overview​

CVE‑2023‑29406 is a vulnerability in the Go standard library’s net/http HTTP/1 client: the client did not sufficiently validate Host header contents, allowing crafted Host values to inject additional headers — or in extreme cases, entire requests — into what the server receives. The Go project fixed this by adding stricter validation so that requests with invalid Request.Host or Request.URL.Host values are refused by the client. This vulnerability was publicly documented in July 2023 and fixed in Go releases 1.19.11 and 1.20.6.
This article unpacks what that means for organizations using Microsoft products — particularly the Azure Linux distribution — and explains why Microsoft’s Azure Linux attestation is important but not, on its own, an exclusivity guarantee. I verify the technical claims against multiple independent sources, walk through real‑world knock‑on effects, and provide clear, practical steps for defenders to determine exposure and mitigate risk.

---

What the vulnerability actually is (technical summary)​

• The net/http HTTP/1 client failed to fully sanitize the Host header. An attacker can place newline/control characters or otherwise malformed values in Host such that the client will forward them verbatim, potentially causing the receiving HTTP server or an intermediary (proxy, load balancer) to interpret injected lines as additional headers or even an extra HTTP request.
• The practical security consequences include header injection, request smuggling, cache poisoning, circumvention of Host-based access controls, or other downstream header‑parsing surprises that lead to data leakage or request routing/control problems. The Go project’s fix rejects Host values that contain illegal characters and returns an “invalid Host header” error for those requests.
• Affected Go versions (as documented by multiple vendor advisories) are older releases prior to the fixes: anything earlier than Go 1.19.11 and Go 1.20.0 through 1.20.5. The fixes are included in Go 1.19.11 and Go 1.20.6. These version boundaries are corroborated by distribution advisories and vulnerability trackers.

---

How Microsoft described the exposure (what their attestation means)​

When Microsoft’s Security Response Center (MSRC) says “Azure Linux includes this open‑source library and is therefore potentially affected,” that is an important and precise product‑scoped statement: it means Microsoft has inventoried the Azure Linux images and confirmed the vulnerable upstream component appears in those images. Microsoft has also committed to publishing machine‑readaons (a program started in October 2025) and to update CVE/product mappings if additional Microsoft products are identified as carriers. That phrasing is a declaration of known scope, not a categorical guarantee that no other Microsoft product includes the same vulnerable code.
Put simply:

• Microsoft has identified Azure Linux as a known carrier and is publishing that inventory result.
• Microsoft will update product mappings if it finds the same upstream code in other Microsoft artifacts.
• Until Microsoft explicitly attests other products, absence of an attestation is not proof those products are unaffected — artifact‑level confirmation is required.

This distinction matters operationally: defenders should treat Microsoft’s Azure Linux attestation as a starting point for investigation across Microsoft artifacts, not as the final word on global exposure.

---

Why Azure Linux being listed does not mean “only Azure Linux”​

There are several reasons the Azure Linux attestation does not imply exclusivity:

• Upstream code is shared widely. The vulnerable component is part of the Go standard library (net/http), which is embedded in any Go binary. That binary can be built and shipped inside many different product artifacts: daemons, agents, SDKs, container images, bespoke services, or tooling maintained by Microsoft or third parties.shes product‑scoped attestations, not automatic full‑company scans.** The Azure Linux attestation reflects inventory work tied to that product family. Microsoft’s public messaging explicitly states that it will expand the attestation data if other products are found to ship the same component. That is an operational pledge, not a denial that other artifacts could be impacted.
• Binary inclusion often depends on build choices. Whether a Microsoft product is affected depends on whether it ships a Go binary (or container image) built against an affected Go runtime version. Many products may include Go components only in limited places (for example, internal tooling, agents, or cloud-native components) — they won’t be captured by a product‑scoped inventory unless explicitly scanned.
• Distribution vs. product images. A Linux distribution image (Azure Linux) contains packages and runtime libraries; other Microsoft services may ship full application images or statically linked Go binaries where net/http is included indirectly.

Given that reality, the conservative operational stance is to assume potential presence until verified (either by vendor attestation or artifact-level scanning).

---

Corroboration from independent sources​

I verified the technical details and the affected version boundaries against multiple independent sources:

• The NVD / CVE record and standard vulnerability trackers describe the Host header validation issue and the intended fix behavior.
• Multiple vendor advisories and Linux distribution security pages (for example SUSE, Debian, Alpine, Red Hat) list the same affected version windows and the fixed Go releases (1.19.11 and 1.20.6). Those advisories were used by distro maintainers to publish patches.
• Technical writeups and developer discussion (Go issue and changelist references) document the change to refuse invalid Host values and the commit(s) implementing the check, and also detail the practical exploit vector (header or request injection). Real‑world downstream effects (for example, the docker/dind and docker‑cli projects seeing “invalid Host header” when local socket paths were used as hostnames) were discussed publicly in issues and community patches — illustrating how the stricter check can break code that previously tolerated non‑hostname strings.

Because these facts line up across project changelogs, distro advisorieseups, the technical description and the version boundaries are verifiable.

---

Practical impact across Microsoft products — threat model and likely carriers​

Who should worry, and where might the net/http code be present inside Microsoft’s ecosystem?

• Azure Linux guests and images. Microsoft’s attestation confirms Azure Linux images include the implicated upstream component and therefore needed to be updated. That directly affects customers running Azure Linux VM images or base images from Microsoft.
• Microsoft cloud services and platform components. Any Microsoft service that ships Go binaries (or containers containing Go binaries) built with vulnerable Go versions could be affected in principle. Examples in the broader ecosystem include cloud‑native tooling, container-side agents, or networking components — but public confirmation requires a Microsoft attestation or artifact scan.
• Client tools and SDKs. If a Microsoft SDK or CLI component is written in Go (or vendors a Go binary), it could be affected. In practice many Microsoft client tools are written in other languages, but some cloud-native tooling or third‑party projects integrated by Microsoft could be Go‑based.
• Edge and IoT devices. Devices or edge agents that run Go‑based services may also contain net/http and thus are candidate carriers.

The bottom line: any artifact that includes a Go standard library binary built from an affected Go version is a potential carrier. Determining actual exposure requires checking the specific artifacts (binaries, contain build metadata.

---

How to determine exposure (operational checklist)​

Use the following prioritized steps to discover whether a Microsoft product or artifact you run is affected:

• Inventory Microsoft artifacts you control.
• Collect images, packages, agents, and binaries you run that are provided by Microsoft (Azure Marketplace images, managed agent installers, Microsoft container images, WSL kernels). Microsoft’s Azure Linux attestation is a starting point but not exhaustive.
• Scan for Go runtime components and versions inside artifacts.
• For containers and images: inspect installed packages and the Go runtime version (if present).
• For binaries: use version strings, symbol tables, or build information (GOOS/GOARCH/Go buildinfo) to determine the Go toolchain version used at build time. (The go buildinfo embedded in binaries is a reliable source if present.)
• For container images and VMs:
• Search for the presence of net/http imports or Go runtime files, or run a lightweight script to check for statically‑linked symbols.
• Check package manager advisories (your distribution vendor) for whether Go packages were patched to 1.19.11 / 1.20.6 or later.
• For dynamic services and platform components:
• If you operate managed Microsoft services, consult the Microsoft security advisories, product update notes, and the CSAF/VEX attestations (Microsoft committed to publishing machine‑readable VEX in October 2025) to see whether your service is listed.
• Confirm by testing (only in safe environments):
• In a non‑production test environment run a request that sets a crafted Host header and observe whether the local client refuses it (produces “http: invalid Host header” on newer fixed clients) or whether the server receives injected headers. Use care: do not probe third‑party services you do not own.

---

Mitigation and remediation guidance​

• Upgrade Go runtimes and rebuild.
• If you maintain Go code or ship Go binaries: rebuild with Go 1.19.11 or Go 1.20.6 (or any later patch release). Confirm the compiled binary’s buildinfo indicates a fixed Go version. Distro maintainers also shipped patched go packages; apply vendor distro updates where applicable.
• Patch container images and packages.
• For Azure Linux images, apply the updates Microsoft and the distro maintainers publish. For other distributions, apply the vendor security updates (SUSE, Red Hat, Debian, Alpine, etc.) as they released fixes referencing the same CVE.
• Sanitize and validate Host values server-side.
• Do not rely solely on client behavior. Servers and proxies should validate Host header values, reject illegal characters, and treat Host aDefense‑in‑depth requires both client and server validation.
• Harden proxies and load balancers.
• Ensure intermediaries do not blindly trust Host header values from upstream; enforce header canonicalization and strict parsing on edge proxies.
• Monitor for anomalous Host values.
• Use logging and IDS rules to detect unusual Host header patterns (lines, embedded control chars, newlines). These are strong indicators someone is trying to exploit header-injection classes of bugs.
• Apply vendor guidance and follow Microsoft VEX attestations.
• Watch Microsoft’s security update guide and the CSAF/VEX attestations (as they are published) for product‑level mappings. Microsoft has committed to expanding its attestations when new carrier products are identified.

---

Real‑world consequences and subtle operational impacts​

This vulnerability is an example of how security hardening in a widely used runtime can have two simultaneous effects:

• Fixes reduce exploitation surface (the Go change prevents header injection from malformed Host values).
• Fixes can break previously‑working code that relied on tolerant behavior. For example, Docker tooling and other projects that used non‑host strings in the Host field (e.g., socket paths) saw errors such as “http: invalid Host header” after the stricter check was released; downstream projects issued patches to accommodate the new behavior. This demonstrates the need to test after an upgrade, not only for security reasons but for functional compatibility. (github.com)

In short: upgrading is necessary, but it must be accompanied by a testing sweep across tools and scripts that may have relied on the older, permissive behavior.

---

Critical analysis: Microsoft’s attestation practice and what it means for defenders​

Microsoft’s move to publish product‑level attestations (CSAF/VEX) for Azure Linux is an important transparency step: it helps customers quickly understand whether a particular Microsoft‑published product image contains the vulnerable upstream component. However, there are practical limits:

• Scope‑limited by design. An attestation such as “Azure Linux includes this library” confirms inventory work for that product family; it does not automatically inventory every Microsoft artifact or third‑party image. Customers must still verify the artifacts they run.
• Attestations are only as useful as their coverage and timeliness. Microsoft has committed to updating attestations when more products are found to be carriers, but until that happens organizations must maintain their own artifact‑level verification and scanning to detect exposure in non‑attested products.
• Operational friction when runtime behavior changes. The Go fix is a security win, but it caused ty problems in tooling that treated non‑host strings as hostnames. This underscores the need for testing windows and for vendor coordination so customers can upgrade without operational surprises.

Overall, Microsoft’s approach of publishing VEX/CSAF attestations is valuable — it makes supply‑chain inventory work visible — but defenders should use those attestations as one source of truth among others (SBOMs, artifact scans, and vendor advisories).

---

Recommended immediate actions for WindowsForum readers and operators​

• If you run Azure Linux images, apply Microsoft’s published updates for the distribution as soon as they are available. Azure Linux has been inventoried and declared a potential carrier; follow Microsoft’s remediation guidance for that product.
• Scan all Microsoft artifacts you run (images, agents, binaries) for embedded Go runtime components and determine the Go version used to build them. If you find builds using versions earlier than 1.19.11 or between 1.20.0 and 1.20.5, plan rebuilds or vendor updates.
• For binaries you cannot rebuild (third‑party or vendor‑provided), request vendor confirmation (or a machine‑readable VEX/CSAF attestation) showing the component is not vulnerable or has been patched.
• Harden servers and proxies to validate Host values, and add logging to detect suspicious Host header cont in staging before rolling them into production, with special attention to tooling that interacts with local sockets or non‑standard Host values (these were practical break points for the stricter Go Host checks).

---

What remains uncertain (and how to treat unverifiable claims)​

• Microsoft’s attestation confirms Azure Linux as a known carrier; whether other Microsoft products also contain the vulnerable net/http code is only verifiable through Microsoft updates or artifact scans. Absent an explicit Microsoft attestation for additional products, defenders must proceed with artifact‑level verification rather than assuming absence of exposure. This is a practical uncertainty, not a technical one: the code is upstream and can be included in many artifacts — presence must be confirmed or denied per artifact.
• Public exploit code: while technical writeups show clear exploit mechanics (header injection), widespread, weaponized exploitation has not been prominent in public exploit feeds. Nevertheless, the class of vulnerability (header injection leading to request smuggling or poisoning) is high‑impact if successfully exploited. Treat the lack of large‑scale exploit chatter as a reason to patch, not to defer.

---

Final assessment and conclusion​

CVE‑2023‑29406 is a concrete example of how a relatively small validation oversight in a ubiquitous runtime can create outsized risk across an ecosystem. The fix in Go (rejecting invalid Host headers) is the correct technical response, but the operational reality is twofold: (1) defenders must patch and rebuild any Go‑based artifacts built with affected versions; and (2) they must verify whether the software and images they run — including Microsoft artifacts — actually include those vulnerable runtime versions.
Microsoft’s public attestation that Azure Linux includes the implicated library is meaningful and useful; it confirms the company has inventoried that product family and will publish machine‑readable attestations going forward. However, Microsoft’s wording is deliberately scoped to Azure Linux and is therefore not an exclusivity guarantee. Customers should treat the attestation as an authoritative inventory entry for Azure Linux but must still perform artifact‑level scanning and apply the mitigation checklist above to be confident about exposure across other Microsoft products and artifacts.
Actionable next steps: inventory, scan for Go builds and versions, apply vendor/distro patches (Go 1.19.11 / 1.20.6 or later), and harden parsing and logging on the server/proxy side. These steps will close the technical gap and reduce the operational risk from both the vulnerability and the compatibility changes the fix introduced.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center