high
7.5
CWE
400
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2023-45288: HTTP/2 CONTINUATION flood in net/http

First published: Wed Mar 06 2024(Updated: )

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Credit: security@golang.org security@golang.org

Affected SoftwareAffected VersionHow to fix
go/golang.org/x/net<0.23.0
0.23.0
go/net/http>=1.22.0-0<1.22.2
1.22.2
go/golang.org/x/net/http2<0.23.0
0.23.0
go/net/http<1.21.9
1.21.9
redhat/golang<1.22.2
1.22.2
redhat/golang<1.21.9
1.21.9
redhat/golang.org/x/net<0.23.0
0.23.0
debian/golang-1.15<=1.15.15-1~deb11u4
debian/golang-1.19<=1.19.8-2
debian/golang-golang-x-net<=1:0.0+git20210119.5f4716e+dfsg-4<=1:0.7.0+dfsg-1
1:0.27.0-1

Remedy

https://github.com/golang/go/commit/ae5913347d15cf7d1f218916c22717e5739a9ea3

Remedy

https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2023-45288?

    CVE-2023-45288 is considered a high-severity vulnerability as it allows an attacker to read arbitrary amounts of header data.

  • How do I fix CVE-2023-45288?

    To fix CVE-2023-45288, upgrade to the latest versions of affected packages such as golang.org/x/net version 0.23.0 or net/http version 1.22.2.

  • Which software is affected by CVE-2023-45288?

    Software affected by CVE-2023-45288 includes older versions of golang.org/x/net, net/http, and IBM Planning Analytics Workspace.

  • What types of attacks are possible with CVE-2023-45288?

    An attacker can exploit CVE-2023-45288 by sending excessive CONTINUATION frames, which may lead to header data exposure.

  • Is there a workaround for CVE-2023-45288?

    There is no documented workaround for CVE-2023-45288, so upgrading to the patched versions is advised.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203