You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
golang.org/x/net
(Go)
>= 0.0.0-20220524220425-1d687d428aca, < 0.1.1-0.20221104162952-702349b0e862
0.1.1-0.20221104162952-702349b0e862
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
golang.org/x/net/http2 Denial of Service vulnerability
Package
Affected versions
Patched version
golang.org/x/net
(Go)
< 0.0.0-20220906165146-f3363e06e74c
0.0.0-20220906165146-f3363e06e74c
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Uncontrolled Resource Consumption
Package
Affected versions
Patched version
golang.org/x/net
(Go)
< 0.7.0
0.7.0
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
The text was updated successfully, but these errors were encountered:
The text was updated successfully, but these errors were encountered: