{"id":"GO-2023-1571","summary":"Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net","details":"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.","aliases":["BIT-golang-2022-41723","CVE-2022-41723","GHSA-vvpx-j8f3-3w6h"],"modified":"2026-03-17T04:30:31.903830Z","published":"2023-02-16T22:31:36Z","related":["CGA-vcg8-c28j-qpfw","RHBA-2023:2181","RHSA-2023:1325","RHSA-2023:3083","RHSA-2023:3445","RHSA-2023:3447","RHSA-2023:3450","RHSA-2023:3612","RHSA-2023:4003","RHSA-2023:6346","RHSA-2023:6363","RHSA-2023:6402","RHSA-2023:6473","RHSA-2023:6474","RHSA-2023:6938","RHSA-2023:6939","RHSA-2023:7058","RHSA-2024:0948"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-1571"},"references":[{"type":"REPORT","url":"https://go.dev/issue/57855"},{"type":"FIX","url":"https://go.dev/cl/468135"},{"type":"FIX","url":"https://go.dev/cl/468295"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.19.6"},{"introduced":"1.20.0-0"},{"fixed":"1.20.1"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["Client.Do","Client.Get","Client.Head","Client.Post","Client.PostForm","Get","Head","ListenAndServe","ListenAndServeTLS","Post","PostForm","Serve","ServeTLS","Server.ListenAndServe","Server.ListenAndServeTLS","Server.Serve","Server.ServeTLS","Transport.RoundTrip"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1571.json"}},{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.7.0"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http2","symbols":["ClientConn.Close","ClientConn.Ping","ClientConn.RoundTrip","ClientConn.Shutdown","ConfigureServer","ConfigureTransport","ConfigureTransports","ConnectionError.Error","ErrCode.String","FrameHeader.String","FrameType.String","FrameWriteRequest.String","Framer.ReadFrame","Framer.WriteContinuation","Framer.WriteData","Framer.WriteDataPadded","Framer.WriteGoAway","Framer.WriteHeaders","Framer.WritePing","Framer.WritePriority","Framer.WritePushPromise","Framer.WriteRSTStream","Framer.WriteRawFrame","Framer.WriteSettings","Framer.WriteSettingsAck","Framer.WriteWindowUpdate","GoAwayError.Error","ReadFrameHeader","Server.ServeConn","Setting.String","SettingID.String","SettingsFrame.ForeachSetting","StreamError.Error","Transport.CloseIdleConnections","Transport.NewClientConn","Transport.RoundTrip","Transport.RoundTripOpt","bufferedWriter.Flush","bufferedWriter.Write","chunkWriter.Write","clientConnPool.GetClientConn","connError.Error","dataBuffer.Read","duplicatePseudoHeaderError.Error","gzipReader.Close","gzipReader.Read","headerFieldNameError.Error","headerFieldValueError.Error","noDialClientConnPool.GetClientConn","noDialH2RoundTripper.RoundTrip","pipe.Read","priorityWriteScheduler.CloseStream","priorityWriteScheduler.OpenStream","pseudoHeaderError.Error","requestBody.Close","requestBody.Read","responseWriter.Flush","responseWriter.FlushError","responseWriter.Push","responseWriter.SetReadDeadline","responseWriter.SetWriteDeadline","responseWriter.Write","responseWriter.WriteHeader","responseWriter.WriteString","serverConn.CloseConn","serverConn.Flush","stickyErrWriter.Write","transportResponseBody.Close","transportResponseBody.Read","writeData.String"]},{"path":"golang.org/x/net/http2/hpack","symbols":["Decoder.DecodeFull","Decoder.Write","Decoder.parseFieldLiteral","Decoder.readString"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1571.json"}}],"schema_version":"1.7.5","credits":[{"name":"Philippe Antoine (Catena cyber)"}]}