When working with multipart forms Go will try to store in memory the entire form and if size exceeds limit boundaries temporary files take place. net/http didn't warm developers http.ListenAndServe will try to clean up any created temporary file and any working temporary file also need to be ready to remove.

If file is still in use (no Close() yet) http.ListenAndServe clean up can fail and your temporary directory can start pilling up. This is when resource exhaustion can happen by lack of inodes or disk space. Until Go decides to fix or not is developer responsibility to close any open files.

This repository has some examples of improper handling of problem and secure as well. Goal here is to explain the concept of not leaving any resource behind for OS/language to handle for you.

Secure Code Warrior has all rights about this challenge.