CVE-2023-45288

HIGH

HTTP/2 - Info Disclosure

Title source: llm

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Exploits (1)

nomisec WORKING POC 5 stars
by hex0punk · poc
https://github.com/hex0punk/cont-flood-poc

References (9)

Scores

CVSS v3 7.5
EPSS 0.7146
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (5)
golang.org/x/net/golang.org/x/net/http2 < 0.23.0
Go standard library/net/http < 1.21.9
Go standard library/net/http 1.22.0-0 - 1.22.2
net/http 0 - 1.21.9Go
x/net 0 - 0.23.0 (2 CPE variants)Go
Published Apr 04, 2024
Tracked Since Feb 18, 2026