Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4v7x-pqxf-cx7m

GitHub Security Advisory

net/http, x/net/http2: close connections when receiving too many headers

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Affected Packages

Go net/http
Affected versions: 0 (fixed in 1.21.9)
Go golang.org/x/net/http2
Affected versions: 0 (fixed in 0.23.0)
Go net/http
Affected versions: 1.22.0-0 (fixed in 1.22.2)
Go golang.org/x/net
Affected versions: 0 (fixed in 0.23.0)

Related CVEs

CVE-2023-45288

Key Information

GHSA ID
GHSA-4v7x-pqxf-cx7m
Published
April 4, 2024 9:30 PM
Last Modified
May 2, 2024 6:59 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
net/http
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 18, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.