{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-45288","assignerOrgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","state":"PUBLISHED","assignerShortName":"Go","dateReserved":"2023-10-06T17:06:26.221Z","datePublished":"2024-04-04T20:37:30.714Z","dateUpdated":"2025-11-04T18:17:43.583Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","shortName":"Go","dateUpdated":"2024-05-01T17:10:07.754Z"},"title":"HTTP/2 CONTINUATION flood in net/http","descriptions":[{"lang":"en","value":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."}],"affected":[{"vendor":"Go standard library","product":"net/http","collectionURL":"https://pkg.go.dev","packageName":"net/http","versions":[{"version":"0","lessThan":"1.21.9","status":"affected","versionType":"semver"},{"version":"1.22.0-0","lessThan":"1.22.2","status":"affected","versionType":"semver"}],"programRoutines":[{"name":"http2Framer.readMetaFrame"},{"name":"CanonicalHeaderKey"},{"name":"Client.CloseIdleConnections"},{"name":"Client.Do"},{"name":"Client.Get"},{"name":"Client.Head"},{"name":"Client.Post"},{"name":"Client.PostForm"},{"name":"Cookie.String"},{"name":"Cookie.Valid"},{"name":"Dir.Open"},{"name":"Error"},{"name":"Get"},{"name":"HandlerFunc.ServeHTTP"},{"name":"Head"},{"name":"Header.Add"},{"name":"Header.Del"},{"name":"Header.Get"},{"name":"Header.Set"},{"name":"Header.Values"},{"name":"Header.Write"},{"name":"Header.WriteSubset"},{"name":"ListenAndServe"},{"name":"ListenAndServeTLS"},{"name":"NewRequest"},{"name":"NewRequestWithContext"},{"name":"NotFound"},{"name":"ParseTime"},{"name":"Post"},{"name":"PostForm"},{"name":"ProxyFromEnvironment"},{"name":"ReadRequest"},{"name":"ReadResponse"},{"name":"Redirect"},{"name":"Request.AddCookie"},{"name":"Request.BasicAuth"},{"name":"Request.FormFile"},{"name":"Request.FormValue"},{"name":"Request.MultipartReader"},{"name":"Request.ParseForm"},{"name":"Request.ParseMultipartForm"},{"name":"Request.PostFormValue"},{"name":"Request.Referer"},{"name":"Request.SetBasicAuth"},{"name":"Request.UserAgent"},{"name":"Request.Write"},{"name":"Request.WriteProxy"},{"name":"Response.Cookies"},{"name":"Response.Location"},{"name":"Response.Write"},{"name":"ResponseController.EnableFullDuplex"},{"name":"ResponseController.Flush"},{"name":"ResponseController.Hijack"},{"name":"ResponseController.SetReadDeadline"},{"name":"ResponseController.SetWriteDeadline"},{"name":"Serve"},{"name":"ServeContent"},{"name":"ServeFile"},{"name":"ServeMux.ServeHTTP"},{"name":"ServeTLS"},{"name":"Server.Close"},{"name":"Server.ListenAndServe"},{"name":"Server.ListenAndServeTLS"},{"name":"Server.Serve"},{"name":"Server.ServeTLS"},{"name":"Server.SetKeepAlivesEnabled"},{"name":"Server.Shutdown"},{"name":"SetCookie"},{"name":"Transport.CancelRequest"},{"name":"Transport.Clone"},{"name":"Transport.CloseIdleConnections"},{"name":"Transport.RoundTrip"},{"name":"body.Close"},{"name":"body.Read"},{"name":"bodyEOFSignal.Close"},{"name":"bodyEOFSignal.Read"},{"name":"bodyLocked.Read"},{"name":"bufioFlushWriter.Write"},{"name":"cancelTimerBody.Close"},{"name":"cancelTimerBody.Read"},{"name":"checkConnErrorWriter.Write"},{"name":"chunkWriter.Write"},{"name":"connReader.Read"},{"name":"connectMethodKey.String"},{"name":"expectContinueReader.Close"},{"name":"expectContinueReader.Read"},{"name":"extraHeader.Write"},{"name":"fileHandler.ServeHTTP"},{"name":"fileTransport.RoundTrip"},{"name":"globalOptionsHandler.ServeHTTP"},{"name":"gzipReader.Close"},{"name":"gzipReader.Read"},{"name":"http2ClientConn.Close"},{"name":"http2ClientConn.Ping"},{"name":"http2ClientConn.RoundTrip"},{"name":"http2ClientConn.Shutdown"},{"name":"http2ConnectionError.Error"},{"name":"http2ErrCode.String"},{"name":"http2FrameHeader.String"},{"name":"http2FrameType.String"},{"name":"http2FrameWriteRequest.String"},{"name":"http2Framer.ReadFrame"},{"name":"http2Framer.WriteContinuation"},{"name":"http2Framer.WriteData"},{"name":"http2Framer.WriteDataPadded"},{"name":"http2Framer.WriteGoAway"},{"name":"http2Framer.WriteHeaders"},{"name":"http2Framer.WritePing"},{"name":"http2Framer.WritePriority"},{"name":"http2Framer.WritePushPromise"},{"name":"http2Framer.WriteRSTStream"},{"name":"http2Framer.WriteRawFrame"},{"name":"http2Framer.WriteSettings"},{"name":"http2Framer.WriteSettingsAck"},{"name":"http2Framer.WriteWindowUpdate"},{"name":"http2GoAwayError.Error"},{"name":"http2Server.ServeConn"},{"name":"http2Setting.String"},{"name":"http2SettingID.String"},{"name":"http2SettingsFrame.ForeachSetting"},{"name":"http2StreamError.Error"},{"name":"http2Transport.CloseIdleConnections"},{"name":"http2Transport.NewClientConn"},{"name":"http2Transport.RoundTrip"},{"name":"http2Transport.RoundTripOpt"},{"name":"http2bufferedWriter.Flush"},{"name":"http2bufferedWriter.Write"},{"name":"http2chunkWriter.Write"},{"name":"http2clientConnPool.GetClientConn"},{"name":"http2connError.Error"},{"name":"http2dataBuffer.Read"},{"name":"http2duplicatePseudoHeaderError.Error"},{"name":"http2gzipReader.Close"},{"name":"http2gzipReader.Read"},{"name":"http2headerFieldNameError.Error"},{"name":"http2headerFieldValueError.Error"},{"name":"http2noDialClientConnPool.GetClientConn"},{"name":"http2noDialH2RoundTripper.RoundTrip"},{"name":"http2pipe.Read"},{"name":"http2priorityWriteScheduler.CloseStream"},{"name":"http2priorityWriteScheduler.OpenStream"},{"name":"http2pseudoHeaderError.Error"},{"name":"http2requestBody.Close"},{"name":"http2requestBody.Read"},{"name":"http2responseWriter.Flush"},{"name":"http2responseWriter.FlushError"},{"name":"http2responseWriter.Push"},{"name":"http2responseWriter.SetReadDeadline"},{"name":"http2responseWriter.SetWriteDeadline"},{"name":"http2responseWriter.Write"},{"name":"http2responseWriter.WriteHeader"},{"name":"http2responseWriter.WriteString"},{"name":"http2roundRobinWriteScheduler.OpenStream"},{"name":"http2serverConn.CloseConn"},{"name":"http2serverConn.Flush"},{"name":"http2stickyErrWriter.Write"},{"name":"http2transportResponseBody.Close"},{"name":"http2transportResponseBody.Read"},{"name":"http2writeData.String"},{"name":"initALPNRequest.ServeHTTP"},{"name":"loggingConn.Close"},{"name":"loggingConn.Read"},{"name":"loggingConn.Write"},{"name":"maxBytesReader.Close"},{"name":"maxBytesReader.Read"},{"name":"onceCloseListener.Close"},{"name":"persistConn.Read"},{"name":"persistConnWriter.ReadFrom"},{"name":"persistConnWriter.Write"},{"name":"populateResponse.Write"},{"name":"populateResponse.WriteHeader"},{"name":"readTrackingBody.Close"},{"name":"readTrackingBody.Read"},{"name":"readWriteCloserBody.Read"},{"name":"redirectHandler.ServeHTTP"},{"name":"response.Flush"},{"name":"response.FlushError"},{"name":"response.Hijack"},{"name":"response.ReadFrom"},{"name":"response.Write"},{"name":"response.WriteHeader"},{"name":"response.WriteString"},{"name":"serverHandler.ServeHTTP"},{"name":"socksDialer.DialWithConn"},{"name":"socksUsernamePassword.Authenticate"},{"name":"stringWriter.WriteString"},{"name":"timeoutHandler.ServeHTTP"},{"name":"timeoutWriter.Write"},{"name":"timeoutWriter.WriteHeader"},{"name":"transportReadFromServerError.Error"}],"defaultStatus":"unaffected"},{"vendor":"golang.org/x/net","product":"golang.org/x/net/http2","collectionURL":"https://pkg.go.dev","packageName":"golang.org/x/net/http2","versions":[{"version":"0","lessThan":"0.23.0","status":"affected","versionType":"semver"}],"programRoutines":[{"name":"Framer.readMetaFrame"},{"name":"ClientConn.Close"},{"name":"ClientConn.Ping"},{"name":"ClientConn.RoundTrip"},{"name":"ClientConn.Shutdown"},{"name":"ConfigureServer"},{"name":"ConfigureTransport"},{"name":"ConfigureTransports"},{"name":"ConnectionError.Error"},{"name":"ErrCode.String"},{"name":"FrameHeader.String"},{"name":"FrameType.String"},{"name":"FrameWriteRequest.String"},{"name":"Framer.ReadFrame"},{"name":"Framer.WriteContinuation"},{"name":"Framer.WriteData"},{"name":"Framer.WriteDataPadded"},{"name":"Framer.WriteGoAway"},{"name":"Framer.WriteHeaders"},{"name":"Framer.WritePing"},{"name":"Framer.WritePriority"},{"name":"Framer.WritePushPromise"},{"name":"Framer.WriteRSTStream"},{"name":"Framer.WriteRawFrame"},{"name":"Framer.WriteSettings"},{"name":"Framer.WriteSettingsAck"},{"name":"Framer.WriteWindowUpdate"},{"name":"GoAwayError.Error"},{"name":"ReadFrameHeader"},{"name":"Server.ServeConn"},{"name":"Setting.String"},{"name":"SettingID.String"},{"name":"SettingsFrame.ForeachSetting"},{"name":"StreamError.Error"},{"name":"Transport.CloseIdleConnections"},{"name":"Transport.NewClientConn"},{"name":"Transport.RoundTrip"},{"name":"Transport.RoundTripOpt"},{"name":"bufferedWriter.Flush"},{"name":"bufferedWriter.Write"},{"name":"chunkWriter.Write"},{"name":"clientConnPool.GetClientConn"},{"name":"connError.Error"},{"name":"dataBuffer.Read"},{"name":"duplicatePseudoHeaderError.Error"},{"name":"gzipReader.Close"},{"name":"gzipReader.Read"},{"name":"headerFieldNameError.Error"},{"name":"headerFieldValueError.Error"},{"name":"noDialClientConnPool.GetClientConn"},{"name":"noDialH2RoundTripper.RoundTrip"},{"name":"pipe.Read"},{"name":"priorityWriteScheduler.CloseStream"},{"name":"priorityWriteScheduler.OpenStream"},{"name":"pseudoHeaderError.Error"},{"name":"requestBody.Close"},{"name":"requestBody.Read"},{"name":"responseWriter.Flush"},{"name":"responseWriter.FlushError"},{"name":"responseWriter.Push"},{"name":"responseWriter.SetReadDeadline"},{"name":"responseWriter.SetWriteDeadline"},{"name":"responseWriter.Write"},{"name":"responseWriter.WriteHeader"},{"name":"responseWriter.WriteString"},{"name":"roundRobinWriteScheduler.OpenStream"},{"name":"serverConn.CloseConn"},{"name":"serverConn.Flush"},{"name":"stickyErrWriter.Write"},{"name":"transportResponseBody.Close"},{"name":"transportResponseBody.Read"},{"name":"writeData.String"}],"defaultStatus":"unaffected"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-400: Uncontrolled Resource Consumption"}]}],"references":[{"url":"https://go.dev/issue/65051"},{"url":"https://go.dev/cl/576155"},{"url":"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"},{"url":"https://pkg.go.dev/vuln/GO-2024-2687"},{"url":"https://security.netapp.com/advisory/ntap-20240419-0009/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"},{"url":"http://www.openwall.com/lists/oss-security/2024/04/05/4"},{"url":"http://www.openwall.com/lists/oss-security/2024/04/03/16"}],"credits":[{"lang":"en","value":"Bartek Nowotarski (https://nowotarski.info/)"}]},"adp":[{"title":"CVE Program Container","references":[{"url":"https://go.dev/issue/65051","tags":["x_transferred"]},{"url":"https://go.dev/cl/576155","tags":["x_transferred"]},{"url":"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M","tags":["x_transferred"]},{"url":"https://pkg.go.dev/vuln/GO-2024-2687","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20240419-0009/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/","tags":["x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2024/04/05/4","tags":["x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2024/04/03/16","tags":["x_transferred"]},{"url":"https://www.kb.cert.org/vuls/id/421644"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-04T18:17:43.583Z"}},{"affected":[{"vendor":"go_standard_library","product":"net\\/http","cpes":["cpe:2.3:a:go_standard_library:net\\/http:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"1.21.9","versionType":"custom"},{"version":"1.22.0-0","status":"affected","lessThan":"1.22.2","versionType":"custom"}]},{"vendor":"golang","product":"http2","cpes":["cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"0.23.0","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.5,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-04-05T17:08:42.212936Z","id":"CVE-2023-45288","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-26T20:40:01.996Z"}}]}}