Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
Description
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Request smuggling in Go's net/http2 h2c handler via MaxBytesHandler allows attackers to inject arbitrary HTTP2 requests by not fully consuming the HTTP request body.
The vulnerability is a request smuggling flaw in Go's net/http2 library, specifically in the h2c handler when used with MaxBytesHandler. According to the official description [1], when MaxBytesHandler is employed, the body of an HTTP request is not fully consumed. This leaves residual data in the connection buffer.
An attacker can exploit this by sending a crafted HTTP/1.1 request with a body that, when not fully read, is interpreted as HTTP/2 frames by the server. The server, expecting HTTP/2 frames on the connection, reads the leftover body data, which the attacker can manipulate to represent arbitrary HTTP/2 requests [2]. This attack requires the server to be configured to upgrade from HTTP/1.1 to HTTP/2 via h2c (HTTP/2 cleartext).
The impact is request smuggling, allowing an attacker to inject malicious HTTP/2 requests that may bypass security controls, access restricted resources, or perform actions on behalf of other users. Additionally, the Go issue [2] highlights that the mitigation using MaxBytesHandler is ineffective and can lead to a denial-of-service (DoS) vector due to unbounded memory consumption when reading the body.
The vulnerability is fixed in golang.org/x/net version 0.1.1-0.20221104162952-702349b0e862 and later [3]. Users should update their dependencies. There is no workaround other than upgrading.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | >= 0.0.0-20220524220425-1d687d428aca, < 0.1.1-0.20221104162952-702349b0e862 | 0.1.1-0.20221104162952-702349b0e862 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/kyverno-1.8pkg:apk/chainguard/kyverno-cli-1.8pkg:apk/chainguard/kyverno-init-container-1.8pkg:apk/chainguard/py3-seldon-core-1.16pkg:apk/chainguard/seldon-core-operator-1.16pkg:apk/chainguard/seldon-core-operator-compatpkg:apk/chainguard/seldon-core-operator-compat-helmpkg:apk/chainguard/seldon-core-operator-fipspkg:golang/golang.org/x/net
< 1.8.5-r2+ 8 more
- (no CPE)range: < 1.8.5-r2
- (no CPE)range: < 1.8.5-r2
- (no CPE)range: < 1.8.5-r2
- (no CPE)range: < 1.16.0-r6
- (no CPE)range: < 1.16.0-r1
- (no CPE)range: < 1.16.0-r6
- (no CPE)range: < 1.16.0-r1
- (no CPE)range: < 1.16.0-r6
- (no CPE)range: >= 0.0.0-20220524220425-1d687d428aca, < 0.1.1-0.20221104162952-702349b0e862
- golang.org/x/net/golang.org/x/net/http2/h2cv5Range: 0.0.0-20220524220425-1d687d428aca
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-fxg5-wq6x-vr4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41721ghsaADVISORY
- cs.opensource.google/go/x/netghsaPACKAGE
- go.dev/cl/447396ghsaWEB
- go.dev/issue/56352ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GPghsaWEB
- pkg.go.dev/vuln/GO-2023-1495ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/mitre
News mentions
0No linked articles in our index yet.