blob: 9b532bb98ed6523aaa12fa8198505fa2733807e0 [file] [log] [blame]
id: GO-2022-0236
modules:
- module: std
versions:
- fixed: 1.15.12
- introduced: 1.16.0-0
fixed: 1.16.4
vulnerable_at: 1.16.3
packages:
- package: net/http
symbols:
- http2clientStream.writeRequest
- http2isConnectionCloseRequest
- isProtocolSwitchHeader
- shouldClose
- module: golang.org/x/net
versions:
- fixed: 0.0.0-20210428140749-89ef3d95e781
vulnerable_at: 0.0.0-20210427231257-85d9c07bbe3a
packages:
- package: golang.org/x/net/http/httpguts
symbols:
- headerValueContainsToken
derived_symbols:
- HeaderValuesContainsToken
summary: Panic due to large headers in net/http and golang.org/x/net/http/httpguts
description: |-
A malicious HTTP server or client can cause the net/http client or server to
panic.
ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very
large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones).
Transport and Client are vulnerable and the program can be made to crash by a
malicious server. Server is not vulnerable by default, but can be if the default
max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher
value, in which case the program can be made to crash by a malicious client.
This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in
golang.org/x/net/http/httpguts.
published: 2022-07-15T23:04:18Z
cves:
- CVE-2021-31525
ghsas:
- GHSA-h86h-8ppg-mxmh
credits:
- Guido Vranken
references:
- fix: https://go.dev/cl/313069
- fix: https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9
- report: https://go.dev/issue/45710
- web: https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
review_status: REVIEWED