{"id":"GO-2023-2382","summary":"Denial of service via chunk extensions in net/http","details":"A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.\n\nA malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.\n\nChunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.","aliases":["BIT-golang-2023-39326","CVE-2023-39326"],"modified":"2026-03-17T04:50:31.011957Z","published":"2023-12-06T16:22:36Z","related":["CGA-68mx-h7cx-55qw","RHSA-2023:7200","RHSA-2023:7201","RHSA-2024:0748","RHSA-2024:0880","RHSA-2024:0887","RHSA-2024:1041","RHSA-2024:1131","RHSA-2024:1149","RHSA-2024:1244","RHSA-2024:1640","RHSA-2024:2160","RHSA-2024:2193","RHSA-2024:2245","RHSA-2024:2272","RHSA-2024:2729","RHSA-2024:2730","RHSA-2024:2767","RHSA-2024:2988","RHSA-2024:3352","RHSA-2024:3467"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-2382"},"references":[{"type":"REPORT","url":"https://go.dev/issue/64433"},{"type":"FIX","url":"https://go.dev/cl/547335"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.20.12"},{"introduced":"1.21.0-0"},{"fixed":"1.21.5"}]}],"ecosystem_specific":{"imports":[{"path":"net/http/internal","symbols":["chunkedReader.Read","chunkedReader.beginChunk","readChunkLine"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2382.json"}}],"schema_version":"1.7.5","credits":[{"name":"Bartek Nowotarski"}]}