Homepage
About Snyk

Allocation of Resources Without Limits or Throttling Affecting golang.org/x/net/http2 package, versions <0.23.0

0.0
high

Snyk CVSS

    Attack Complexity Low
    Availability High
Expand this section
Red Hat
7.5 high
Expand this section
SUSE
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285
  • published 4 Apr 2024
  • disclosed 10 Jan 2024
  • credit Bartek Nowotarski
Report a new vulnerability Found a mistake?

Introduced: 10 Jan 2024

CVE-2023-45288 Open this link in a new tab
CWE-770 Open this link in a new tab

How to fix?

Upgrade golang.org/x/net/http2 to version 0.23.0 or higher.

Overview

golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when reading header data from CONTINUATION frames. As part of the HPACK flow, all incoming HEADERS and CONTINUATION frames are read even if their payloads exceed MaxHeaderBytes and will be discarded. An attacker can send excessive data over a connection to render it unresponsive.