Vulnerability Report: GO-2024-2687
- CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
- Affects: net/http, golang.org/x/net
- Published: Apr 03, 2024
- Modified: Apr 16, 2024
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Affected Packages
-
PathVersionsSymbols
-
before go1.21.9, from go1.22.0-0 before go1.22.2
71 affected symbols
- CanonicalHeaderKey
- Client.CloseIdleConnections
- Client.Do
- Client.Get
- Client.Head
- Client.Post
- Client.PostForm
- Cookie.String
- Cookie.Valid
- Dir.Open
- Error
- Get
- HandlerFunc.ServeHTTP
- Head
- Header.Add
- Header.Del
- Header.Get
- Header.Set
- Header.Values
- Header.Write
- Header.WriteSubset
- ListenAndServe
- ListenAndServeTLS
- NewRequest
- NewRequestWithContext
- NotFound
- ParseTime
- Post
- PostForm
- ProxyFromEnvironment
- ReadRequest
- ReadResponse
- Redirect
- Request.AddCookie
- Request.BasicAuth
- Request.FormFile
- Request.FormValue
- Request.MultipartReader
- Request.ParseForm
- Request.ParseMultipartForm
- Request.PostFormValue
- Request.Referer
- Request.SetBasicAuth
- Request.UserAgent
- Request.Write
- Request.WriteProxy
- Response.Cookies
- Response.Location
- Response.Write
- ResponseController.EnableFullDuplex
- ResponseController.Flush
- ResponseController.Hijack
- ResponseController.SetReadDeadline
- ResponseController.SetWriteDeadline
- Serve
- ServeContent
- ServeFile
- ServeMux.ServeHTTP
- ServeTLS
- Server.Close
- Server.ListenAndServe
- Server.ListenAndServeTLS
- Server.Serve
- Server.ServeTLS
- Server.SetKeepAlivesEnabled
- Server.Shutdown
- SetCookie
- Transport.CancelRequest
- Transport.Clone
- Transport.CloseIdleConnections
- Transport.RoundTrip
-
before v0.23.0
37 affected symbols
- ClientConn.Close
- ClientConn.Ping
- ClientConn.RoundTrip
- ClientConn.Shutdown
- ConfigureServer
- ConfigureTransport
- ConfigureTransports
- ConnectionError.Error
- ErrCode.String
- FrameHeader.String
- FrameType.String
- FrameWriteRequest.String
- Framer.ReadFrame
- Framer.WriteContinuation
- Framer.WriteData
- Framer.WriteDataPadded
- Framer.WriteGoAway
- Framer.WriteHeaders
- Framer.WritePing
- Framer.WritePriority
- Framer.WritePushPromise
- Framer.WriteRSTStream
- Framer.WriteRawFrame
- Framer.WriteSettings
- Framer.WriteSettingsAck
- Framer.WriteWindowUpdate
- GoAwayError.Error
- ReadFrameHeader
- Server.ServeConn
- Setting.String
- SettingID.String
- SettingsFrame.ForeachSetting
- StreamError.Error
- Transport.CloseIdleConnections
- Transport.NewClientConn
- Transport.RoundTrip
- Transport.RoundTripOpt
Aliases
References
- https://go.dev/issue/65051
- https://go.dev/cl/576155
- https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
- https://vuln.go.dev/ID/GO-2024-2687.json
Credits
- Bartek Nowotarski (https://nowotarski.info/)