PT-2022-7291 · Go+11 · Net/Http+11

Josselin Costanzi

Published

2022-11-30

Updated

2026-03-26

CVE-2022-41717

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions net/http versions prior to the fixed version

Description The issue is related to the net/http package in the Go programming language, which is vulnerable to excessive memory growth due to unbounded resource allocation. An attacker can cause this growth by sending very large HTTP header keys, allowing them to allocate approximately 64 MiB per open connection. This can lead to a denial of service.

Recommendations For net/http versions prior to the fixed version, consider limiting the canonical header cache by bytes, not entries, to prevent excessive memory growth. As a temporary workaround, restrict the size of HTTP header keys sent by clients to minimize the risk of exploitation.

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2023:2204

ALSA-2023:2222

ALSA-2023:2236

ALSA-2023:2253

ALSA-2023:2282

ALSA-2023:2283

ALSA-2023:2357

ALSA-2023:2367

ALSA-2023:2758

ALSA-2023:2780

ALSA-2023:2802

ALSA-2023:2866

ALSA-2023:6420

ALT-PU-2022-3297

ALT-PU-2022-3300

ALT-PU-2023-1205

ALT-PU-2023-1270

ALT-PU-2023-1323

ALT-PU-2023-1324

ALT-PU-2023-4785

ALT-PU-2023-7095

AZL-11582

AZL-33568

AZL-33573

AZL-33582

AZL-33617

AZL-33630

AZL-33645

AZL-34276

AZL-34750

AZL-35011

AZL-35113

AZL-35284

AZL-37311

AZL-37374

AZL-43744

AZL-44487

AZL-79004

BDU:2024-02376

BIT-GOLANG-2022-41717

CESA-2023_0446

CESA-2023_2758

CESA-2023_2780

CESA-2023_2802

CESA-2023_2866

CLEANSTART-2026-AN66259

CLEANSTART-2026-KD20596

CLEANSTART-2026-MA27248

CLEANSTART-2026-TF33105

CLEANSTART-2026-WG18689

CVE-2022-41717

ECHO-3232-E874-92A5

GHSA-XRJJ-MJ9H-534M

GO-2022-1144

MGASA-2022-0473

OESA-2023-1080

OESA-2023-1081

OESA-2023-1082

OESA-2023-1093

OPENSUSE-SU-2022_4397-1

OPENSUSE-SU-2022_4398-1

OPENSUSE-SU-2024:12552-1

OPENSUSE-SU-2024:12553-1

OPENSUSE-SU-2024:12615-1

OPENSUSE-SU-2024:13225-1

OPENSUSE-SU-2024:13299-1

OPENSUSE-SU-2024:14076-1

RHSA-2023:0328

RHSA-2023:0446

RHSA-2023:1179

RHSA-2023:1268

RHSA-2023:1275

RHSA-2023:1276

RHSA-2023:1325

RHSA-2023:1329

RHSA-2023:2204

RHSA-2023:2222

RHSA-2023:2236

RHSA-2023:2253

RHSA-2023:2282

RHSA-2023:2283

RHSA-2023:2357

RHSA-2023:2367

RHSA-2023:2758

RHSA-2023:2780

RHSA-2023:2802

RHSA-2023:2866

RHSA-2023:3204

RHSA-2023:3612

RHSA-2023:3910

RHSA-2023:3914

RHSA-2023:4470

RHSA-2023:5982

RHSA-2023:6420

RHSA-2023:6818

RHSA-2023_0328

RHSA-2023_0446

RHSA-2023_2204

RHSA-2023_2222

RHSA-2023_2236

RHSA-2023_2253

RHSA-2023_2282

RHSA-2023_2283

RHSA-2023_2357

RHSA-2023_2367

RHSA-2023_2758

RHSA-2023_2780

RHSA-2023_2802

RHSA-2023_2866

RHSA-2023_6420

RLSA-2023:6818

SUSE-SU-2022:4397-1

SUSE-SU-2022:4398-1

SUSE-SU-2022_4397-1

SUSE-SU-2022_4398-1

SUSE-SU-2023:2312-1

USN-6038-1

USN-6038-2

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Net/Http

PT-2022-7291 · Go+11 · Net/Http+11

CVE-2022-41717

Weakness Enumeration

Related Identifiers

Affected Products

References · 327