Vulnerability Report: GO-2022-0236
standard library- CVE-2021-31525, GHSA-h86h-8ppg-mxmh
- Affects: net/http, golang.org/x/net
- Published: Jul 15, 2022
- Modified: May 20, 2024
A malicious HTTP server or client can cause the net/http client or server to panic. ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.15.12, from go1.16.0-0 before go1.16.4
4 unexported affected symbols
- http2clientStream.writeRequest
- http2isConnectionCloseRequest
- isProtocolSwitchHeader
- shouldClose
-
before v0.0.0-20210428140749-89ef3d95e781
Aliases
References
- https://go.dev/cl/313069
- https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9
- https://go.dev/issue/45710
- https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
- https://vuln.go.dev/ID/GO-2022-0236.json
Credits
- Guido Vranken
Feedback
See anything missing or incorrect?
Suggest an edit to this report.