CVE-2023-45288

MEDIUM5.3EPSS 75.3%

net/http, x/net/http2: close connections when receiving too many headers

Published: 4/4/2024Modified: 2/4/2026

Also known as:GHSA-4v7x-pqxf-cx7mBIT-golang-2023-45288CGA-cp2m-4m66-fgvgGO-2024-2687

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Affected packages (9)

Bitnami/golangfrom 0, < 1.21.9, >= 1.22.0-0, < 1.22.2
Debian/golang-1.15from 0
Debian/golang-1.19from 0
Debian/golang-golang-x-netfrom 0
Go/golang.org/x/netfrom 0, < 0.23.0
Go/golang.org/x/netfrom 0, < 0.23.0
Go/golang.org/x/net/http2from 0, < 0.23.0
Go/net/httpfrom 0, < 1.21.9
Go/stdlibfrom 0, < 1.21.9, >= 1.22.0-0, < 1.22.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

Affected packages (9)

CVSS scores

References (14)