{"id":"GO-2024-2687","summary":"HTTP/2 CONTINUATION flood in net/http","details":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.\n\nMaintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.\n\nThis permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.\n\nThe fix sets a limit on the amount of excess header frames we will process before closing a connection.","aliases":["BIT-golang-2023-45288","CVE-2023-45288","GHSA-4v7x-pqxf-cx7m"],"modified":"2026-03-17T04:53:09.334274Z","published":"2024-04-03T21:12:01Z","related":["CGA-cp2m-4m66-fgvg","RHEA-2024:4022","RHSA-2024:1892","RHSA-2024:1897","RHSA-2024:1899","RHSA-2024:1962","RHSA-2024:1963","RHSA-2024:2049","RHSA-2024:2079","RHSA-2024:2562","RHSA-2024:2625","RHSA-2024:2667","RHSA-2024:2671","RHSA-2024:2672","RHSA-2024:2699","RHSA-2024:2724","RHSA-2024:2729","RHSA-2024:2892","RHSA-2024:2935","RHSA-2024:2936","RHSA-2024:3259","RHSA-2024:3346","RHSA-2024:3352","RHSA-2024:3467","RHSA-2024:3781","RHSA-2024:4023","RHSA-2024:4125","RHSA-2024:4146","RHSA-2024:4543","RHSA-2024:4545","RHSA-2024:4546","RHSA-2024:4933","RHSA-2024:4934"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2687","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://go.dev/issue/65051"},{"type":"FIX","url":"https://go.dev/cl/576155"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.21.9"},{"introduced":"1.22.0-0"},{"fixed":"1.22.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["CanonicalHeaderKey","Client.CloseIdleConnections","Client.Do","Client.Get","Client.Head","Client.Post","Client.PostForm","Cookie.String","Cookie.Valid","Dir.Open","Error","Get","HandlerFunc.ServeHTTP","Head","Header.Add","Header.Del","Header.Get","Header.Set","Header.Values","Header.Write","Header.WriteSubset","ListenAndServe","ListenAndServeTLS","NewRequest","NewRequestWithContext","NotFound","ParseTime","Post","PostForm","ProxyFromEnvironment","ReadRequest","ReadResponse","Redirect","Request.AddCookie","Request.BasicAuth","Request.FormFile","Request.FormValue","Request.MultipartReader","Request.ParseForm","Request.ParseMultipartForm","Request.PostFormValue","Request.Referer","Request.SetBasicAuth","Request.UserAgent","Request.Write","Request.WriteProxy","Response.Cookies","Response.Location","Response.Write","ResponseController.EnableFullDuplex","ResponseController.Flush","ResponseController.Hijack","ResponseController.SetReadDeadline","ResponseController.SetWriteDeadline","Serve","ServeContent","ServeFile","ServeMux.ServeHTTP","ServeTLS","Server.Close","Server.ListenAndServe","Server.ListenAndServeTLS","Server.Serve","Server.ServeTLS","Server.SetKeepAlivesEnabled","Server.Shutdown","SetCookie","Transport.CancelRequest","Transport.Clone","Transport.CloseIdleConnections","Transport.RoundTrip","body.Close","body.Read","bodyEOFSignal.Close","bodyEOFSignal.Read","bodyLocked.Read","bufioFlushWriter.Write","cancelTimerBody.Close","cancelTimerBody.Read","checkConnErrorWriter.Write","chunkWriter.Write","connReader.Read","connectMethodKey.String","expectContinueReader.Close","expectContinueReader.Read","extraHeader.Write","fileHandler.ServeHTTP","fileTransport.RoundTrip","globalOptionsHandler.ServeHTTP","gzipReader.Close","gzipReader.Read","http2ClientConn.Close","http2ClientConn.Ping","http2ClientConn.RoundTrip","http2ClientConn.Shutdown","http2ConnectionError.Error","http2ErrCode.String","http2FrameHeader.String","http2FrameType.String","http2FrameWriteRequest.String","http2Framer.ReadFrame","http2Framer.WriteContinuation","http2Framer.WriteData","http2Framer.WriteDataPadded","http2Framer.WriteGoAway","http2Framer.WriteHeaders","http2Framer.WritePing","http2Framer.WritePriority","http2Framer.WritePushPromise","http2Framer.WriteRSTStream","http2Framer.WriteRawFrame","http2Framer.WriteSettings","http2Framer.WriteSettingsAck","http2Framer.WriteWindowUpdate","http2Framer.readMetaFrame","http2GoAwayError.Error","http2Server.ServeConn","http2Setting.String","http2SettingID.String","http2SettingsFrame.ForeachSetting","http2StreamError.Error","http2Transport.CloseIdleConnections","http2Transport.NewClientConn","http2Transport.RoundTrip","http2Transport.RoundTripOpt","http2bufferedWriter.Flush","http2bufferedWriter.Write","http2chunkWriter.Write","http2clientConnPool.GetClientConn","http2connError.Error","http2dataBuffer.Read","http2duplicatePseudoHeaderError.Error","http2gzipReader.Close","http2gzipReader.Read","http2headerFieldNameError.Error","http2headerFieldValueError.Error","http2noDialClientConnPool.GetClientConn","http2noDialH2RoundTripper.RoundTrip","http2pipe.Read","http2priorityWriteScheduler.CloseStream","http2priorityWriteScheduler.OpenStream","http2pseudoHeaderError.Error","http2requestBody.Close","http2requestBody.Read","http2responseWriter.Flush","http2responseWriter.FlushError","http2responseWriter.Push","http2responseWriter.SetReadDeadline","http2responseWriter.SetWriteDeadline","http2responseWriter.Write","http2responseWriter.WriteHeader","http2responseWriter.WriteString","http2roundRobinWriteScheduler.OpenStream","http2serverConn.CloseConn","http2serverConn.Flush","http2stickyErrWriter.Write","http2transportResponseBody.Close","http2transportResponseBody.Read","http2writeData.String","initALPNRequest.ServeHTTP","loggingConn.Close","loggingConn.Read","loggingConn.Write","maxBytesReader.Close","maxBytesReader.Read","onceCloseListener.Close","persistConn.Read","persistConnWriter.ReadFrom","persistConnWriter.Write","populateResponse.Write","populateResponse.WriteHeader","readTrackingBody.Close","readTrackingBody.Read","readWriteCloserBody.Read","redirectHandler.ServeHTTP","response.Flush","response.FlushError","response.Hijack","response.ReadFrom","response.Write","response.WriteHeader","response.WriteString","serverHandler.ServeHTTP","socksDialer.DialWithConn","socksUsernamePassword.Authenticate","stringWriter.WriteString","timeoutHandler.ServeHTTP","timeoutWriter.Write","timeoutWriter.WriteHeader","transportReadFromServerError.Error"],"path":"net/http"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2687.json"}},{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.23.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["ClientConn.Close","ClientConn.Ping","ClientConn.RoundTrip","ClientConn.Shutdown","ConfigureServer","ConfigureTransport","ConfigureTransports","ConnectionError.Error","ErrCode.String","FrameHeader.String","FrameType.String","FrameWriteRequest.String","Framer.ReadFrame","Framer.WriteContinuation","Framer.WriteData","Framer.WriteDataPadded","Framer.WriteGoAway","Framer.WriteHeaders","Framer.WritePing","Framer.WritePriority","Framer.WritePushPromise","Framer.WriteRSTStream","Framer.WriteRawFrame","Framer.WriteSettings","Framer.WriteSettingsAck","Framer.WriteWindowUpdate","Framer.readMetaFrame","GoAwayError.Error","ReadFrameHeader","Server.ServeConn","Setting.String","SettingID.String","SettingsFrame.ForeachSetting","StreamError.Error","Transport.CloseIdleConnections","Transport.NewClientConn","Transport.RoundTrip","Transport.RoundTripOpt","bufferedWriter.Flush","bufferedWriter.Write","chunkWriter.Write","clientConnPool.GetClientConn","connError.Error","dataBuffer.Read","duplicatePseudoHeaderError.Error","gzipReader.Close","gzipReader.Read","headerFieldNameError.Error","headerFieldValueError.Error","noDialClientConnPool.GetClientConn","noDialH2RoundTripper.RoundTrip","pipe.Read","priorityWriteScheduler.CloseStream","priorityWriteScheduler.OpenStream","pseudoHeaderError.Error","requestBody.Close","requestBody.Read","responseWriter.Flush","responseWriter.FlushError","responseWriter.Push","responseWriter.SetReadDeadline","responseWriter.SetWriteDeadline","responseWriter.Write","responseWriter.WriteHeader","responseWriter.WriteString","roundRobinWriteScheduler.OpenStream","serverConn.CloseConn","serverConn.Flush","stickyErrWriter.Write","transportResponseBody.Close","transportResponseBody.Read","writeData.String"],"path":"golang.org/x/net/http2"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2687.json"}}],"schema_version":"1.7.5","credits":[{"name":"Bartek Nowotarski (https://nowotarski.info/)"}]}