CVE-2022-41721
HIGHGo net/http MaxBytesHandler - HTTP/2 Request Smuggling
Title source: manualDescription
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
References (5)
Core 5
Core References
Patch, Vendor Advisory
https://go.dev/cl/447396
Exploit, Issue Tracking, Patch, Vendor Advisory
https://go.dev/issue/56352
Vendor Advisory
https://pkg.go.dev/vuln/GO-2023-1495
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/
Scores
CVSS v3
7.5
EPSS
0.0181
EPSS Percentile
75.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (2)
golang/h2c
< 2022-11-04
x/net
0.0.0-20220524220425-1d687d428aca - 0.1.1-0.20221104162952-702349b0e862Go
Published
Jan 13, 2023
Tracked Since
Feb 18, 2026