[BUG] Parser fails on duplicate HTTP status lines (malformed MIME header error)

[coderabbitai]

Summary

This issue is cloned from projectdiscovery/nuclei#7363 as the root cause lies in rawhttp's response parser.

Requested by @dwisiswant0.

---

Problem

When a target server returns a malformed HTTP response containing duplicate identical status lines (e.g., HTTP/1.0 200 OK\r\nHTTP/1.0 200 OK\r\n...), the rawhttp response parser fails with:

malformed MIME header: missing colon: "HTTP/1.0 200 OK"

This is because the parser hands off header parsing to Go's net/textproto reader, which strictly requires every header line to contain a colon. When it encounters the second status line, it treats it as a malformed header.

This failure propagates up to Nuclei, causing requests to fail entirely even under unsafe: true mode — matchers never run and the raw response body is inaccessible.

Reproduction

1. Device: Grandstream HT801 (firmware 1.0.13.7), endpoint /cgi-bin/dologin
2. The device responds with two identical HTTP/1.0 200 OK status lines before the actual headers.
3. Any raw HTTP client using rawhttp to parse this response will encounter the error above.

Expected Behavior

The rawhttp parser should be lenient enough to handle broken/duplicate status lines that some servers or proxies emit. Possible approaches:

• Skip/ignore extra status lines after the first one is parsed.
• Implement a lenient header reader that falls back to a raw byte split on \r\n\r\n when strict parsing fails, especially in unsafe mode.

Related

• Original Nuclei issue: projectdiscovery/nuclei#7363
• Related Go upstream issue: net/http: unexpected malformed MIME header error golang/go#63168

Environment

• Nuclei: v3.8.0
• Go: go1.21.5
• OS: macOS Ventura 13.6 / Ubuntu 24.04