1. Home
  2. Security Advisories
  3. Go
  4. GO-2022-1144

[GO-2022-1144] Excessive memory growth in net/http and golang.org/x/net/http2

Severity Medium
Affected Packages 3
Fixed Packages 3
CVEs 1
Info Packages References Vulnerabilities

An attacker can cause excessive memory growth in a Go server accepting HTTP/2
requests.

HTTP/2 server connections contain a cache of HTTP header keys sent by the
client. While the total number of entries in this cache is capped, an attacker
sending very large keys can cause the server to allocate approximately 64 MiB
per open connection.

Package Affected Version
pkg:golang/net/http >= 1.19.3, < 1.18.9
pkg:golang/net/http >= 1.19.3, < 1.19.4
pkg:golang/golang.org/x/net/http2 >= 0.3.0, < 0.4.0
Package Fixed Version
pkg:golang/net/http = 1.18.9
pkg:golang/net/http = 1.19.4
pkg:golang/golang.org/x/net/http2 = 0.4.0
ID
GO-2022-1144
Severity
medium
Severity from
CVE-2022-41717
URL
https://pkg.go.dev/vuln/GO-2022-1144
Published
2022-12-08T17:16:22
(21 months ago)
Modified
2024-07-17T19:54:18
(2 months ago)
Other Advisories
Source # ID Name URL
Security Advisory https://github.com/advisories/GHSA-xrjj-mj9h-534m
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/net/http net http = 1.18.9
Affected pkg:golang/net/http net http >= 1.19.3 < 1.18.9
Fixed pkg:golang/net/http net http = 1.19.4
Affected pkg:golang/net/http net http >= 1.19.3 < 1.19.4
Fixed pkg:golang/golang.org/x/net/http2 golang.org/x/net http2 = 0.4.0
Affected pkg:golang/golang.org/x/net/http2 golang.org/x/net http2 >= 0.3.0 < 0.4.0
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date