Upstream Sync Report — 2026-07-03
This is an automated report from the Upstream Sync Tracking Loop. It summarizes upstream changes in Go stdlib net/http, golang.org/x/net/http2, and quic-go since the last baselines.
Current Baselines (before this run)
Go stdlib net/http: 2024-09-10 (ad6ee2)
golang.org/x/net/http2: 2024-09-06 (3c333c)
quic-go: v0.59.0
New Baselines (after this run)
Go stdlib net/http: 2026-07-02 (aa44f96)
golang.org/x/net/http2: 2026-07-01 (bd5f1dc)
quic-go: v0.60.0 (released 2026-06-06)
1. Go stdlib net/http — 35 commits since baseline
Security Fixes (7 commits)
Date
Hash
Description
Jul 1, 2026
1952e61
CVE-2026-56853 — Header timeout not applied to server's HTTP/2 preface read. (Later reverted in 821f3ff for rc2 consistency, expected back in rc3.)
Jul 2, 2026
3d3798e
HTTP/2 trailers exceeding MaxResponseHeaderBytes were silently truncated instead of returning an error.
Jun 18, 2026
cabdf7f
Header injection via trailers — Trailer names like X-Trailer\r\nInjected: 1 were copied verbatim, allowing header injection. Now validates via httpguts.ValidHeaderFieldName/ValidHeaderFieldValue.
Jun 4, 2026
3f9d49f
Sensitive header leakage on redirect — Punycode manipulation via proxy Host header could bypass header stripping on cross-host redirects. Now uses raw Punycode.
Jun 9, 2026
e95518b
HTTP/2: Non-identical duplicate Content-Length headers were silently accepted (RFC 9112 violation).
Jun 17, 2026
b6a3601
HTTP/2: Server SETTINGS frames not validated against flow control limits.
May 13, 2026
7601c4b
HTTP/2: Accepted malformed requests with END_STREAM + non-zero Content-Length.
Jun 29, 2026
06bb174
Server hangs draining request body when Expect: 100-continue and server rejects early.
Breaking / Behavior Changes (6 commits)
Date
Hash
Description
Jul 1, 2026
d90bf6d
New Server.MaxHeaderValueCount setting (default 500).
Jun 18, 2026
cabdf7f
Trailer validation now errors instead of sanitizing CR/LF.
Jun 9, 2026
e95518b
HTTP/2 rejects duplicate Content-Length with different values.
Jun 23, 2026
57f9a58
Redirect now preserves RawPath escaping (prevents double-escaping).
May 8, 2026
15b9fc2
Transport can negotiate HTTP/2 with non-*tls.Conn connections (previously server-only).
Jun 29, 2026
9a92465
Reverted ReverseProxy body wrapping (noopCloseReader caused second-order issues).
Transport/Other Fixes
5005a20 — gzipReader concurrent Read/Close deadlock fix
ea0da40 — HTTP/2 client conn closure on GOAWAY with zero in-flight requests
96736b8 — Case-insensitive shouldCopyHeaderOnRedirect for ASCII
HTTP/3 Preparation
~12 commits address HTTP/3 test fixes (issues #78737, #70914), indicating active HTTP/3 stabilization work in stdlib.
2. golang.org/x/net/http2 — 35 commits since baseline
Security Fixes (4 commits)
Date
Hash
CVE/Issue
Description
Apr 1, 2026
1e71bd8
CVE-2026-33814 / #78476
Transport hangs on malformed SETTINGS frame.
Feb 18, 2026
19f580f
#77652
Nil panic on unassigned frame types (e.g., ALTSVC 0x0a) — DoS.
Feb 3, 2026
64b3af9
#77331
Transport deadlock from WINDOW_UPDATE exceeding 2^31-1 limit.
Apr 30, 2026
4c78867
#70914
HTTP/3: invalid characters in response headers not rejected.
Major Architectural Change — Go 1.27 Wrapping (8 commits)
Starting May 2026, x/net/http2 now wraps net/http's built-in HTTP/2 when built with Go 1.27+ (49810da). Key implications:
x/net/http2 becomes a thin wrapper, not a standalone implementation
Use -tags=http2legacy to revert to old behavior
h2c package deprecated (6c6f714)
Write schedulers deprecated (8afa12f): NewPriorityWriteScheduler, NewRandomWriteScheduler, PriorityWriteSchedulerConfig
Minimum Go version raised to 1.25.0 (29181b8)
Transport/Frame Fixes
bd5f1dc — Missing Transport init on NewClientConn
42abb85 — Silent HTTP/1.1 downgrade in wrap configureTransport
008e5e7 — Missing ALPN registration in wrap configureServer
3eb9327 — No retry after RST_STREAM PROTOCOL_ERROR
f207862 — DisableClientPriority field added
8f003b3 — SETTINGS_NO_RFC7540_PRIORITIES support
3. quic-go — 2 releases since baseline
v0.59.1 (2026-05-11) — Patch Release
Backports #5642: HTTP/3 trailer validation.
v0.60.0 (2026-06-06) — Minor Release
Breaking Change:
Requires Go 1.25+ (dropped Go 1.24). Uses sync.WaitGroup.Go and other Go 1.25 features.
New Feature — FIPS 140-3 Support:
FIPS 140-3 compliant when built with Go 1.26+ and Go Cryptographic Module
Switched to stdlib crypto/hkdf for QUIC HKDF
Uses stdlib TLS 1.3 AES-GCM for QUIC packet protection AEADs
cipher.NewGCMWithRandomNonce for address validation token encryption
ChaCha20-Poly1305 guarded to not run in FIPS mode
Notable Fixes:
Path probe packets now pass OOB data (correct network interface selection)
Stream/SendStream context cancelled when connection closes
http3: Validate Extended CONNECT :protocol pseudo-header
http3: Always set http.Request.Scheme and http.Request.Host
http3: Nil pointer dereference when Server.Logger is unset
OpenStreamSync returns context error on cancellation
Maximum datagram size estimation fix after MTU discovery
Impact Assessment for req
High Priority — Security Fixes to Port
Header injection via trailers (cabdf7f) — req's modified transfer.go/response.go likely affected
Sensitive header leakage on redirect (3f9d49f, 96736b8) — req's redirect logic in client.go/request.go may need equivalent fix
HTTP/2 trailer truncation (3d3798e) — req's internal/http2/ modified code
CVE-2026-33814 (1e71bd8) — HTTP/2 Transport hang on bad SETTINGS — req's internal/http2/
HTTP/2 WINDOW_UPDATE deadlock (64b3af9) — req's internal/http2/
Nil panic on unassigned frame types (19f580f) — req's internal/http2/ frame parser
HTTP/2 flow limit validation (b6a3601) — req's internal/http2/
Duplicate Content-Length rejection (e95518b) — req's internal/http2/ and transport.go
END_STREAM + Content-Length rejection (7601c4b) — req's internal/http2/
Medium Priority — Behavior Changes
Redirect RawPath escaping (57f9a58) — req's redirect handling
Server.MaxHeaderValueCount (d90bf6d) — new server-side setting (may not apply to client-only req)
HTTP/2 GOAWAY with zero in-flight (ea0da40) — req already has GOAWAY retry logic (fix: retry on GOAWAY errors when using cached HTTP/2 connections #491 )
gzipReader deadlock (5005a20) — req's modified transfer code
quic-go v0.60.0 Upgrade
Go 1.25+ requirement aligns with req's existing Go 1.25+ minimum — no conflict
FIPS 140-3 support is opt-in (requires Go 1.26+ and Go Crypto Module)
http3 fixes (nil pointer, scheme/host, :protocol validation) are directly relevant to req's internal/http3/
Trailer validation backport in v0.59.1 should also be synced
x/net/http2 Go 1.27 Wrapping
The wrapping architecture is a future concern — only relevant when req upgrades to Go 1.27+
req uses its own modified internal/http2/, so the wrapping change doesn't directly apply
However, deprecation of write schedulers and h2c should be noted for future planning
Recommended Actions
Port security fixes from stdlib net/http and x/net/http2 to req's modified files (highest priority)
Upgrade quic-go from v0.59.0 → v0.60.0 in internal/http3/ (port the http3 fixes and FIPS changes)
Full diff sync of all modified files per the CODEBUDDY.md mandatory sync flow:
diff -rq each modified file against upstream
Port all non-test changes
List inapplicable upstream changes (server-side logic) with reasons
go build ./... + go test ./... must pass
Consider adding redirect header-stripping tests to prevent Punycode bypass regression
This issue was auto-generated by the Upstream Sync Tracking Loop. Sync of modified code requires manual human work per project conventions.
Upstream Sync Report — 2026-07-03
This is an automated report from the Upstream Sync Tracking Loop. It summarizes upstream changes in Go stdlib
net/http,golang.org/x/net/http2, andquic-gosince the last baselines.Current Baselines (before this run)
New Baselines (after this run)
1. Go stdlib net/http — 35 commits since baseline
Security Fixes (7 commits)
1952e61821f3fffor rc2 consistency, expected back in rc3.)3d3798eMaxResponseHeaderByteswere silently truncated instead of returning an error.cabdf7fX-Trailer\r\nInjected: 1were copied verbatim, allowing header injection. Now validates viahttpguts.ValidHeaderFieldName/ValidHeaderFieldValue.3f9d49fHostheader could bypass header stripping on cross-host redirects. Now uses raw Punycode.e95518bContent-Lengthheaders were silently accepted (RFC 9112 violation).b6a36017601c4bEND_STREAM+ non-zeroContent-Length.06bb174Expect: 100-continueand server rejects early.Breaking / Behavior Changes (6 commits)
d90bf6dServer.MaxHeaderValueCountsetting (default 500).cabdf7fe95518bContent-Lengthwith different values.57f9a58RawPathescaping (prevents double-escaping).15b9fc2*tls.Connconnections (previously server-only).9a92465noopCloseReadercaused second-order issues).Transport/Other Fixes
5005a20— gzipReader concurrent Read/Close deadlock fixea0da40— HTTP/2 client conn closure on GOAWAY with zero in-flight requests96736b8— Case-insensitiveshouldCopyHeaderOnRedirectfor ASCIIHTTP/3 Preparation
~12 commits address HTTP/3 test fixes (issues #78737, #70914), indicating active HTTP/3 stabilization work in stdlib.
2. golang.org/x/net/http2 — 35 commits since baseline
Security Fixes (4 commits)
1e71bd819f580f64b3af94c78867Major Architectural Change — Go 1.27 Wrapping (8 commits)
Starting May 2026,
x/net/http2now wrapsnet/http's built-in HTTP/2 when built with Go 1.27+ (49810da). Key implications:x/net/http2becomes a thin wrapper, not a standalone implementation-tags=http2legacyto revert to old behaviorh2cpackage deprecated (6c6f714)8afa12f):NewPriorityWriteScheduler,NewRandomWriteScheduler,PriorityWriteSchedulerConfig29181b8)Transport/Frame Fixes
bd5f1dc— Missing Transport init onNewClientConn42abb85— Silent HTTP/1.1 downgrade in wrapconfigureTransport008e5e7— Missing ALPN registration in wrapconfigureServer3eb9327— No retry after RST_STREAM PROTOCOL_ERRORf207862—DisableClientPriorityfield added8f003b3—SETTINGS_NO_RFC7540_PRIORITIESsupport3. quic-go — 2 releases since baseline
v0.59.1 (2026-05-11) — Patch Release
v0.60.0 (2026-06-06) — Minor Release
Breaking Change:
sync.WaitGroup.Goand other Go 1.25 features.New Feature — FIPS 140-3 Support:
crypto/hkdffor QUIC HKDFcipher.NewGCMWithRandomNoncefor address validation token encryptionNotable Fixes:
:protocolpseudo-headerhttp.Request.Schemeandhttp.Request.HostServer.Loggeris unsetOpenStreamSyncreturns context error on cancellationImpact Assessment for req
High Priority — Security Fixes to Port
cabdf7f) — req's modifiedtransfer.go/response.golikely affected3f9d49f,96736b8) — req's redirect logic inclient.go/request.gomay need equivalent fix3d3798e) — req'sinternal/http2/modified code1e71bd8) — HTTP/2 Transport hang on bad SETTINGS — req'sinternal/http2/64b3af9) — req'sinternal/http2/19f580f) — req'sinternal/http2/frame parserb6a3601) — req'sinternal/http2/e95518b) — req'sinternal/http2/andtransport.go7601c4b) — req'sinternal/http2/Medium Priority — Behavior Changes
RawPathescaping (57f9a58) — req's redirect handlingServer.MaxHeaderValueCount(d90bf6d) — new server-side setting (may not apply to client-only req)ea0da40) — req already has GOAWAY retry logic (fix: retry on GOAWAY errors when using cached HTTP/2 connections #491)5005a20) — req's modified transfer codequic-go v0.60.0 Upgrade
:protocolvalidation) are directly relevant to req'sinternal/http3/x/net/http2 Go 1.27 Wrapping
internal/http2/, so the wrapping change doesn't directly applyRecommended Actions
internal/http3/(port the http3 fixes and FIPS changes)diff -rqeach modified file against upstreamgo build ./...+go test ./...must passThis issue was auto-generated by the Upstream Sync Tracking Loop. Sync of modified code requires manual human work per project conventions.