Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
CVE-2022-41723

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net/http; Golang.org/x/net/http2; Golang.org/x/net/http2/HPack
Vendor: CVE Published:; 28 February 2023

What is CVE-2022-41723?

A vulnerability exists within the HPACK decoder of the Go programming language that allows for excessive CPU consumption. This can be triggered by a maliciously crafted HTTP/2 stream, potentially resulting in service interruptions due to high resource utilization. The issue is particularly concerning as it can be initiated with a minimal number of crafted requests, leading to a denial of service. It's crucial for developers and system administrators using Go to implement appropriate mitigations to protect their applications.

Affected Version(s)

golang.org/x/net/http2 0 < 0.7.0

golang.org/x/net/http2/hpack 0 < 0.7.0

net/http 0 < 1.19.6

References

https://go.dev/issue/57855

https://go.dev/cl/468135

https://go.dev/cl/468295

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2023
Vulnerability Reserved
Sep 28, 2022

Credit

Philippe Antoine (Catena cyber)

Go Standard Library

What is CVE-2022-41723?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit