CVE-2023-45288

Published: 27 March 2024

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Notes

issue in net/http and net/http2 packages

Packages built using golang need to be rebuilt once the
vulnerability has been fixed. This CVE entry does not
list packages that need rebuilding outside of the main
repository or the Ubuntu variants with PPA overlays.

Warning: do not include nullboot in the list of no-change
rebuilds after fixing an issue in golang.

Status

References

• https://kb.cert.org/vuls/id/421644
• https://go.dev/cl/576155
• https://pkg.go.dev/vuln/GO-2024-2687
• https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
• https://www.cve.org/CVERecord?id=CVE-2023-45288
• NVD
• Launchpad
• Debian

Bugs

• https://go.dev/issue/65051