CVE-2022-41721

golang.org/x/net/http2/h2c vulnerable to request smuggling attack in go/golang.org/x/net/http2/h2c

Identifiers

GHSA-fxg5-wq6x-vr4w, CVE-2022-41721

Package Slug

go/golang.org/x/net/http2/h2c

Vulnerability

golang.org/x/net/http2/h2c vulnerable to request smuggling attack

Description

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Affected Versions

All versions starting from 0.0.0-20220524220425-1d687d428aca before 0.1.1-0.20221104162952-702349b0e862

Solution

Upgrade to version 0.1.1-0.20221104162952-702349b0e862 or above.

Last Modified

2023-01-23

source