Description
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
INFO
Published Date :
2024-04-04T20:37:30.714Z
Last Modified :
2025-11-04T18:17:43.583Z
Source :
Go
AFFECTED PRODUCTS
The following products are affected by CVE-2023-45288 vulnerability.
| Vendors | Products |
|---|---|
| Go Standard Library |
|
| Golang |
|
| Redhat |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2023-45288.