PT-2024-2621 · Go+11 · Net/Http+12

Bartek Nowotarski

·

Published

2024-03-06

·

Updated

2026-06-04

·

CVE-2023-45288

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions net/http and net/http2 in Go (affected versions not specified)
Description An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2024:1962
ALSA-2024:1963
ALSA-2024:2079
ALSA-2024:2562
ALSA-2024:2699
ALSA-2024:2724
ALSA-2024:3259
ALSA-2024:3346
ALT-PU-2024-11781
ALT-PU-2024-11872
ALT-PU-2024-12202
ALT-PU-2024-12410
ALT-PU-2024-13291
ALT-PU-2024-13881
ALT-PU-2024-13971
ALT-PU-2024-16593
ALT-PU-2024-16754
ALT-PU-2024-3504
ALT-PU-2024-4847
ALT-PU-2024-5071
ALT-PU-2024-5073
ALT-PU-2024-6864
ALT-PU-2024-7595
ALT-PU-2024-8466
ALT-PU-2024-8547
ALT-PU-2024-8810
ALT-PU-2024-9408
ALT-PU-2024-9897
ALT-PU-2025-13603
ALT-PU-2025-8447
AZL-38158
AZL-38173
AZL-38209
AZL-38233
AZL-38260
AZL-38281
AZL-38284
AZL-38302
AZL-38314
AZL-38338
AZL-38392
AZL-38395
AZL-38431
AZL-38473
AZL-38488
AZL-38503
AZL-38542
AZL-38569
AZL-38575
AZL-38581
AZL-38608
AZL-38623
AZL-38635
AZL-38659
AZL-38683
AZL-38692
AZL-38761
AZL-38785
AZL-38839
AZL-38878
AZL-38941
AZL-38950
AZL-38956
AZL-39004
AZL-39022
AZL-39154
AZL-39187
AZL-39202
AZL-39217
AZL-39223
AZL-39229
AZL-39232
AZL-39235
AZL-39238
AZL-39244
AZL-39259
AZL-39268
AZL-39274
AZL-39325
AZL-39334
AZL-39445
AZL-39463
AZL-39484
AZL-39487
AZL-39493
AZL-39505
AZL-39514
AZL-39550
AZL-39571
AZL-39625
AZL-39634
AZL-39678
AZL-39892
AZL-39984
AZL-42706
AZL-42864
AZL-43627
AZL-50336
BDU:2024-02688
BIT-GOLANG-2023-45288
CESA-2024_1962
CESA-2024_2699
CESA-2024_3259
CESA-2024_3346
CLEANSTART-2026-EJ93145
CLEANSTART-2026-HZ73294
CLEANSTART-2026-SQ68600
CVE-2023-45288
ECHO-326D-6F7D-C967
GHSA-4V7X-PQXF-CX7M
GHSA-QC6V-5G5M-8CW2
GO-2024-2687
INFSA-2024_2562
INFSA-2024_2724
INFSA-2024_3259
INFSA-2024_3346
MGASA-2024-0128
OESA-2024-1488
OESA-2025-1184
OESA-2025-1185
OESA-2025-1451
OPENSUSE-SU-2024:13822-1
OPENSUSE-SU-2024:13823-1
OPENSUSE-SU-2024:13824-1
OPENSUSE-SU-2024:13837-1
OPENSUSE-SU-2024:13880-1
OPENSUSE-SU-2024:13881-1
OPENSUSE-SU-2024:13882-1
OPENSUSE-SU-2024:13903-1
OPENSUSE-SU-2024:13905-1
OPENSUSE-SU-2024:13927-1
OPENSUSE-SU-2024:13989-1
OPENSUSE-SU-2024:14053-1
OPENSUSE-SU-2024:14076-1
OPENSUSE-SU-2024:14399-1
OPENSUSE-SU-2024:14400-1
OPENSUSE-SU-2024_1121-1
OPENSUSE-SU-2024_1122-1
OPENSUSE-SU-2024_3089-1
OPENSUSE-SU-2024_3097-1
OPENSUSE-SU-2024_3098-1
OPENSUSE-SU-2024_3155-1
OPENSUSE-SU-2024_3341-1
OPENSUSE-SU-2024_3342-1
OPENSUSE-SU-2024_3343-1
OPENSUSE-SU-2024_3344-1
OPENSUSE-SU-2024_3755-1
OPENSUSE-SU-2025:14709-1
OPENSUSE-SU-2025:14714-1
OPENSUSE-SU-2025:14744-1
OPENSUSE-SU-2025:14990-1
OPENSUSE-SU-2025:15075-1
OPENSUSE-SU-2025:15145-1
OPENSUSE-SU-2025:15162-1
OPENSUSE-SU-2025_0299-1
OPENSUSE-SU-2025_0313-1
OPENSUSE-SU-2025_0420-1
OPENSUSE-SU-2025_0458-1
OPENSUSE-SU-2025_0558-1
OPENSUSE-SU-2025_0579-1
OPENSUSE-SU-2025_0581-1
OPENSUSE-SU-2025_0775-1
OPENSUSE-SU-2025_0813-1
OPENSUSE-SU-2025_1332-1
OPENSUSE-SU-2026:10090-1
OPENSUSE-SU-2026:10921-1
OPENSUSE-SU-2026:20609-1
RHSA-2024:1892
RHSA-2024:1897
RHSA-2024:1899
RHSA-2024:1962
RHSA-2024:1963
RHSA-2024:2049
RHSA-2024:2079
RHSA-2024:2562
RHSA-2024:2625
RHSA-2024:2667
RHSA-2024:2671
RHSA-2024:2672
RHSA-2024:2699
RHSA-2024:2724
RHSA-2024:2729
RHSA-2024:2892
RHSA-2024:2935
RHSA-2024:2936
RHSA-2024:3259
RHSA-2024:3346
RHSA-2024:3352
RHSA-2024:3467
RHSA-2024:3781
RHSA-2024:4023
RHSA-2024:4125
RHSA-2024:4146
RHSA-2024:4543
RHSA-2024:4545
RHSA-2024:4546
RHSA-2024:4933
RHSA-2024:4934
RHSA-2024_1962
RHSA-2024_1963
RHSA-2024_2079
RHSA-2024_2562
RHSA-2024_2625
RHSA-2024_2699
RHSA-2024_2724
RHSA-2024_3259
RHSA-2024_3346
RLSA-2024:1962
RLSA-2024:2562
RLSA-2024:2699
RLSA-2024:2724
RLSA-2024:3259
RLSA-2024:3346
SUSE-SU-2024:1121-1
SUSE-SU-2024:1122-1
SUSE-SU-2024:1160-1
SUSE-SU-2024:1161-1
SUSE-SU-2024:2108-1
SUSE-SU-2024:3089-1
SUSE-SU-2024:3097-1
SUSE-SU-2024:3098-1
SUSE-SU-2024:3155-1
SUSE-SU-2024:3188-1
SUSE-SU-2024:3341-1
SUSE-SU-2024:3342-1
SUSE-SU-2024:3343-1
SUSE-SU-2024:3344-1
SUSE-SU-2024:3755-1
SUSE-SU-2024:3772-1
SUSE-SU-2024:3938-1
SUSE-SU-2024_1121-1
SUSE-SU-2024_1122-1
SUSE-SU-2024_1160-1
SUSE-SU-2024_1161-1
SUSE-SU-2024_2108-1
SUSE-SU-2024_3155-1
SUSE-SU-2025:01985-1
SUSE-SU-2025:01987-1
SUSE-SU-2025:01988-1
SUSE-SU-2025:01989-1
SUSE-SU-2025:01990-1
SUSE-SU-2025:01991-1
SUSE-SU-2025:01992-1
SUSE-SU-2025:0295-1
SUSE-SU-2025:0299-1
SUSE-SU-2025:0306-1
SUSE-SU-2025:0313-1
SUSE-SU-2025:0318-1
SUSE-SU-2025:0342-1
SUSE-SU-2025:0346-1
SUSE-SU-2025:0420-1
SUSE-SU-2025:0458-1
SUSE-SU-2025:0558-1
SUSE-SU-2025:0579-1
SUSE-SU-2025:0581-1
SUSE-SU-2025:0775-1
SUSE-SU-2025:0813-1
SUSE-SU-2025:1332-1
SUSE-SU-2025:20091-1
SUSE-SU-2025:20143-1
SUSE-SU-2025:20179-1
SUSE-SU-2025:20279-1
SUSE-SU-2025:20363-1
SUSE-SU-2025_01987-1
SUSE-SU-2025_01988-1
SUSE-SU-2025_0299-1
SUSE-SU-2025_0313-1
SUSE-SU-2025_0420-1
SUSE-SU-2025_0458-1
SUSE-SU-2025_0581-1
SUSE-SU-2025_0775-1
SUSE-SU-2025_0813-1
SUSE-SU-2025_1332-1
SUSE-SU-2026:20483-1
SUSE-SU-2026:20486-1
USN-6886-1
USN-7109-1
USN-7111-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Net/Http
Net/Http2