CVE-2021-31525

Vulnerability

The ReadRequest and ReadResponse functions in Go's net/http package are vulnerable to an unrecoverable panic when reading a very large header. On 64-bit architectures, the threshold is over 7 MB; on 32-bit, over 4 MB. This affects Go versions before 1.15.12 and 1.16.x before 1.16.4. The Transport and Client are vulnerable by default; the Server is not vulnerable by default, but becomes so if Server.MaxHeaderBytes is set to a value higher than the default 1 MB. The issue also impacts golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts. [1][2][3]

Exploitation

An attacker can trigger the panic without authentication by sending an HTTP request or response containing a header that exceeds the threshold sizes mentioned above. For a Transport or Client, a malicious server sends an oversized response header. For a Server configured with an elevated MaxHeaderBytes, a malicious client sends an oversized request header. No special network position is required beyond being able to send or receive HTTP messages over the network. [2][3]

Impact

Successful exploitation causes the Go process to panic and crash, resulting in a denial of service. The impact is limited to availability (service interruption). There is no disclosure of information or privilege escalation described in the references. [1][3]

Mitigation

Upgrade to Go 1.16.4 or 1.15.12, released on 2021-05-27, which includes the fix. For uses of golang.org/x/net, upgrade to version v0.0.0-20210428140749-89ef3d95e781. Workarounds include keeping Server.MaxHeaderBytes at the default value (1 MB) to avoid exposing the server to the vulnerability. No EOL or KEV listing is noted. [2][3]