GHSA-4v7x-pqxf-cx7m

Suggest an improvement
Source
https://github.com/advisories/GHSA-4v7x-pqxf-cx7m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-4v7x-pqxf-cx7m/GHSA-4v7x-pqxf-cx7m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4v7x-pqxf-cx7m
Aliases
Related
Published
2024-04-04T21:30:32Z
Modified
2024-10-15T05:57:11.509390Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
net/http, x/net/http2: close connections when receiving too many headers
Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

References

Affected packages

Go / net/http

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.21.9

Go / golang.org/x/net/http2

Package

Name
golang.org/x/net/http2
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/net/http2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.23.0

Go / net/http

Package

Affected ranges

Type
SEMVER
Events
Introduced
1.22.0-0
Fixed
1.22.2

Go / golang.org/x/net

Package

Name
golang.org/x/net
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/net

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.23.0