net/http/httputil: close incoming ReverseProxy request body

Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.

Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.

Updates #46866
Fixes CVE-2021-36221

Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Trust: Damien Neil <>
Reviewed-by: Brad Fitzpatrick <>
Reviewed-by: Filippo Valsorda <>
2 files changed
tree: fe86fc80397496bbb065a7a1ae55799111b240b2
  1. .gitattributes
  2. .github/
  3. .gitignore
  11. api/
  12. codereview.cfg
  13. doc/
  14. lib/
  15. misc/
  16. src/
  17. test/

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.

Our canonical Git repository is located at There is a mirror of the repository at

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at

After downloading a binary release, visit for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit for source installation instructions.


Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines at

Note that the Go project uses the issue tracker for bug reports and proposals only. See for a list of places to ask questions about the Go language.