VYPR
High severity7.5NVD Advisory· Published Apr 4, 2024· Updated Apr 15, 2026

CVE-2023-45288

CVE-2023-45288

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
net/httpGo
< 1.21.91.21.9
golang.org/x/net/http2Go
< 0.23.00.23.0
net/httpGo
>= 1.22.0-0, < 1.22.21.22.2
golang.org/x/netGo
< 0.23.00.23.0

Affected products

2655

Patches

Vulnerability mechanics

References

14

News mentions

0

No linked articles in our index yet.