CVE-2022-41717: Allocation of Resources Without Limits or Throttling

December 8, 2022 (updated January 18, 2023)

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

References

github.com/advisories/GHSA-xrjj-mj9h-534m
go.dev/cl/455635
go.dev/cl/455717
go.dev/issue/56350
groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
nvd.nist.gov/vuln/detail/CVE-2022-41717
pkg.go.dev/vuln/GO-2022-1144

Detect and mitigate CVE-2022-41717 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →