CVE-2023-45288

Aliases:GHSA-4v7x-pqxf-cx7mBIT-golang-2023-45288GO-2024-2687CGA-8q47-wf6v-wqg5CGA-grww-v9jg-rhw2
Advisory lineage Upstream: 0 Downstream: 109
Deferred
Published: 04 Apr 2024, 20:37
Last modified:04 Nov 2025, 18:17

Vulnerability Summary

Overall Risk (default)
medium
45/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
75.27% CRITICAL
75% probability +8.63%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

04 Apr 2024, 20:37
Published
Vulnerability first disclosed
04 Nov 2025, 18:17
Last Modified
Vulnerability information updated

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Trends

Current EPSS score: 75.27% Percentile: 99%

Affected Systems

  • chainguardnewrelic-fluent-bit-output

    < 1.19.2-r2

  • chainguardvault-fips-1.14

    < 1.14.10-r0

  • go standard librarynet/http

    < 1.21.9 | ≥ 1.22.0-0, < 1.22.2

  • golang.org/xnet

    < 0.23.0

  • golang.org/x/nethttp2

    < 0.23.0

  • nethttp

    < 1.21.9 | ≥ 1.22.0-0, < 1.22.2

  • Gostdlib

    ≥ 1.22.0-0, < 1.22.2

  • golang.org/x/netgolang.org/x/net/http2

    < 0.23.0

References (13)