As discussed upstream -- here and here -- the Go project received notification of an HTTP request smuggling vulnerability in the net/http library. Invalid headers are parsed as valid headers and Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.