PT-2023-6302 · Unknown+11 · Go Http2 Package+11

Neil

·

Published

2023-10-06

·

Updated

2025-10-31

·

CVE-2023-39325

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Go http2 package (affected versions not specified)
Description A malicious HTTP/2 client can cause excessive server resource consumption by rapidly creating requests and immediately resetting them. This allows the attacker to create a new request while the existing one is still executing, despite the total number of requests being bounded by the http2.Server.MaxConcurrentStreams setting. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit will be queued until a handler exits, and if the request queue grows too large, the server will terminate the connection.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2023:5721
ALSA-2023:5738
ALSA-2023:5863
ALSA-2023:5867
ALSA-2023:6077
ALT-PU-2023-6262
ALT-PU-2023-6263
ALT-PU-2023-7050
ALT-PU-2023-7055
ALT-PU-2024-11872
ALT-PU-2024-1825
ALT-PU-2024-4847
ALT-PU-2025-13603
AZL-31310
AZL-31608
AZL-31609
AZL-31616
AZL-31639
AZL-31645
AZL-31646
AZL-31647
AZL-31648
AZL-31655
AZL-31660
AZL-31691
AZL-31692
AZL-31857
AZL-31859
AZL-33330
AZL-34015
AZL-34544
AZL-34567
AZL-34588
AZL-34590
AZL-34622
AZL-34625
AZL-34681
AZL-34730
AZL-34747
AZL-34818
AZL-34892
AZL-34963
AZL-34996
AZL-35070
AZL-35096
AZL-35121
AZL-35302
AZL-35349
AZL-35514
AZL-37440
AZL-37478
AZL-39637
AZL-39652
AZL-39895
AZL-42861
AZL-43741
AZL-50339
AZL-79060
BDU:2023-07013
BIT-GOLANG-2023-39325
CESA-2023_5721
CESA-2023_5863
CVE-2023-39325
ECHO-B9EC-6066-CA75
GHSA-4374-P667-P6C8
GO-2023-2102
OESA-2023-1789
OESA-2024-1105
OESA-2024-1126
OESA-2024-1380
OESA-2024-1381
OESA-2024-1382
OESA-2024-1385
OESA-2024-1386
OESA-2024-1387
OESA-2024-1406
OESA-2024-1407
OESA-2024-1408
OESA-2025-1059
OESA-2025-1182
OESA-2025-1183
OESA-2025-1185
OPENSUSE-SU-2023:0360-1
OPENSUSE-SU-2023_4068-1
OPENSUSE-SU-2023_4069-1
OPENSUSE-SU-2023_4469-1
OPENSUSE-SU-2023_4472-1
OPENSUSE-SU-2024:13326-1
OPENSUSE-SU-2024:13327-1
OPENSUSE-SU-2024:13376-1
OPENSUSE-SU-2024:13384-1
OPENSUSE-SU-2024:13506-1
OPENSUSE-SU-2024:14076-1
OPENSUSE-SU-2024_3094-1
OPENSUSE-SU-2024_3097-1
OPENSUSE-SU-2024_3098-1
OPENSUSE-SU-2024_3341-1
OPENSUSE-SU-2024_3342-1
OPENSUSE-SU-2024_3343-1
OPENSUSE-SU-2024_3344-1
RHSA-2023:5009
RHSA-2023:5675
RHSA-2023:5679
RHSA-2023:5717
RHSA-2023:5719
RHSA-2023:5721
RHSA-2023:5738
RHSA-2023:5805
RHSA-2023:5809
RHSA-2023:5810
RHSA-2023:5835
RHSA-2023:5863
RHSA-2023:5864
RHSA-2023:5865
RHSA-2023:5866
RHSA-2023:5867
RHSA-2023:5931
RHSA-2023:5964
RHSA-2023:5965
RHSA-2023:5967
RHSA-2023:5969
RHSA-2023:5970
RHSA-2023:5979
RHSA-2023:5980
RHSA-2023:5982
RHSA-2023:6057
RHSA-2023:6059
RHSA-2023:6077
RHSA-2023:6165
RHSA-2023:6171
RHSA-2023:6172
RHSA-2023:6179
RHSA-2023:6243
RHSA-2023:6298
RHSA-2023:6781
RHSA-2023:6782
RHSA-2023:6818
RHSA-2023:6839
RHSA-2023:6840
RHSA-2023:7200
RHSA-2023:7201
RHSA-2023:7288
RHSA-2023:7344
RHSA-2023:7521
RHSA-2023:7699
RHSA-2023_5721
RHSA-2023_5738
RHSA-2023_5835
RHSA-2023_5863
RHSA-2023_5867
RHSA-2023_6077
RHSA-2024:0777
RHSA-2024:4118
RHSA-2026:8322
RLSA-2023:5721
RLSA-2023:5738
RLSA-2023:5863
RLSA-2023:6077
RLSA-2023:6818
SUSE-SU-2023:4068-1
SUSE-SU-2023:4069-1
SUSE-SU-2023:4469-1
SUSE-SU-2023:4472-1
SUSE-SU-2024:3094-1
SUSE-SU-2024:3097-1
SUSE-SU-2024:3098-1
SUSE-SU-2024:3341-1
SUSE-SU-2024:3342-1
SUSE-SU-2024:3343-1
SUSE-SU-2024:3344-1
USN-6574-1
USN-7061-1
USN-7109-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Go Http2 Package
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu