Use of a Broken or Risky Cryptographic Algorithm

  • Rule ID: go_gosec_blocklist_cgi
  • Languages: go
  • Source: cgi.yml


Using the net/http/cgi package in Go, especially with versions prior to 1.6.3, exposes the application to the Httpoxy attack, a vulnerability identified as CVE-2016-5386. This vulnerability arises from the way CGI and FastCGI protocols handle certain environment variables, which can be manipulated to intercept and redirect outgoing HTTP requests made by the web application.


✅ Update Go Version

Ensure you are using a version of Go that is 1.6.3 or later, where this vulnerability is patched.

# Check Go version and update if necessary
go version
# Follow Go's update instructions if your version is < 1.6.3

✅ Use Alternative Packages

Refrain from using CGI where possible. Utilize alternative packages and methods to handle HTTP requests which do not rely on the CGI protocol.

// Use the standard net/http package instead
import "net/http"

❌ Don't Use net/http/cgi in Older Versions

Do not use the net/http/cgi package if you are operating on Go versions older than 1.6.3 as they are susceptible to the Httpoxy vulnerability.

// This import is vulnerable to Httpoxy in Go < 1.6.3
import "net/http/cgi"

❌ Avoid Exposing Environment Variables

Ensure that the environment variables such as HTTP_PROXY are not being exposed unintentionally, as this can be leveraged for Httpoxy attacks.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_cgi

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_cgi

Ready to take the next step? Learn more about Bearer Cloud.