An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Affected Packages

Go golang.org/x/net/http2

Affected versions: 0 (fixed in 0.4.0)

Go golang.org/x/net

Affected versions: 0 (fixed in 0.4.0)

Related CVEs

CVE-2022-41717

Key Information

GHSA ID

GHSA-xrjj-mj9h-534m

Published

December 8, 2022 9:30 PM

Last Modified

May 20, 2024 9:41 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

golang.org/x/net/http2

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 17, 2025 2:40 PM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.