HTTP/2 rapid reset can cause excessive work in net/http
CVE-2023-39325

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net/http; Golang.org/x/net/http2
Vendor: CVE Published:; 11 October 2023

What is CVE-2023-39325?

A vulnerability exists in HTTP/2 servers where a malicious client can initiate multiple rapid requests and immediately reset them. This can lead to excessive consumption of server resources, as the server allows for concurrent streams defined by the MaxConcurrentStreams setting. Attackers can exploit the request resetting functionality to overwhelm the server, potentially leading to performance issues or connection terminations when request queues exceed capacity. Updates have been implemented to restrict the concurrent handling of requests, ensuring that new requests are queued appropriately and that resources are managed within established limits.

Affected Version(s)

golang.org/x/net/http2 0 < 0.17.0

net/http 0 < 1.20.10

net/http 1.21.0-0 < 1.21.3

References

https://go.dev/issue/63417

https://go.dev/cl/534215

https://go.dev/cl/534235

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 11, 2023
Vulnerability Reserved
Jul 27, 2023

Go Standard Library

What is CVE-2023-39325?

Affected Version(s)

References

CVSS V3.1

Timeline