CVE-2022-41721: golang.org/x/net/http2/h2c vulnerable to request smuggling attack

January 14, 2023 (updated January 20, 2023)

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

References

github.com/advisories/GHSA-fxg5-wq6x-vr4w
go.dev/cl/447396
go.dev/issue/56352
nvd.nist.gov/vuln/detail/CVE-2022-41721
pkg.go.dev/vuln/GO-2023-1495

Detect and mitigate CVE-2022-41721 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →