GO-2022-0236
See a problem?- Source
- https://pkg.go.dev/vuln/GO-2022-0236
- Import Source
- https://vuln.go.dev/ID/GO-2022-0236.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2022-0236
- Aliases
- Published
- 2022-07-15T23:04:18Z
- Modified
- 2024-09-11T06:13:34.274481Z
- Summary
- Panic due to large headers in net/http and golang.org/x/net/http/httpguts
- Details
-
A malicious HTTP server or client can cause the net/http client or server to panic.
ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
- References
- Credits
-
-
- Guido Vranken
-
Affected packages
Go / stdlib
Package
- Name
- stdlib
- View open source insights on deps.dev
- Purl
- pkg:golang/stdlib
Go / golang.org/x/net
Package
- Name
- golang.org/x/net
- View open source insights on deps.dev
- Purl
- pkg:golang/golang.org/x/net