Vulnerability Report: GO-2023-1571
- CVE-2022-41723, GHSA-vvpx-j8f3-3w6h
- Affects: net/http, golang.org/x/net
- Published: Feb 16, 2023
- Modified: Jun 12, 2023
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Affected Packages
-
PathVersionsSymbols
-
before go1.19.6, from go1.20.0-0 before go1.20.1
-
before v0.7.0
37 affected symbols
- ClientConn.Close
- ClientConn.Ping
- ClientConn.RoundTrip
- ClientConn.Shutdown
- ConfigureServer
- ConfigureTransport
- ConfigureTransports
- ConnectionError.Error
- ErrCode.String
- FrameHeader.String
- FrameType.String
- FrameWriteRequest.String
- Framer.ReadFrame
- Framer.WriteContinuation
- Framer.WriteData
- Framer.WriteDataPadded
- Framer.WriteGoAway
- Framer.WriteHeaders
- Framer.WritePing
- Framer.WritePriority
- Framer.WritePushPromise
- Framer.WriteRSTStream
- Framer.WriteRawFrame
- Framer.WriteSettings
- Framer.WriteSettingsAck
- Framer.WriteWindowUpdate
- GoAwayError.Error
- ReadFrameHeader
- Server.ServeConn
- Setting.String
- SettingID.String
- SettingsFrame.ForeachSetting
- StreamError.Error
- Transport.CloseIdleConnections
- Transport.NewClientConn
- Transport.RoundTrip
- Transport.RoundTripOpt
-
before v0.7.0
Aliases
References
- https://go.dev/issue/57855
- https://go.dev/cl/468135
- https://go.dev/cl/468295
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
- https://vuln.go.dev/ID/GO-2023-1571.json
Credits
- Philippe Antoine (Catena cyber)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.