We have just released Go 1.15.1 and Go 1.14.8 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.15.1).
When a Handler does not explicitly set the Content-Type header, the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.
The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.
Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.
Thanks to RedTeam Pentesting GmbH for reporting this issue.
This issue is CVE-2020-24553 and Go issue golang.org/issue/40928.
Downloads are available at https://golang.org/dl for all supported platforms.
Filippo and Roberto on behalf of the Go team