Vulnerability Report: GO-2023-1495

  • CVE-2022-41721, GHSA-fxg5-wq6x-vr4w
  • Affects: golang.org/x/net
  • Published: Jan 13, 2023
  • Modified: Jun 12, 2023

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Affected Packages

  • Path
    Versions
    Symbols
  • golang.org/x/net/http2/h2c
    from v0.0.0-20220524220425-1d687d428aca before v0.1.1-0.20221104162952-702349b0e862
    all symbols

Aliases

References

Credits

  • John Howard (Google)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.