Go HTTP/2 Server: Excessive Memory via Large Header Keys
CVE-2022-41717 Published on December 8, 2022

Excessive memory growth in net/http and golang.org/x/net/http2
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

NVD

Products Associated with CVE-2022-41717

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-41717 are published in these products:

GoLang Go

GoLang Http2

Canonical Ubuntu Linux

Fedora Project Fedora

Affected Versions

Go standard library net/http:

Before 1.18.9 is affected.
Version 1.19.0-0 and below 1.19.4 is affected.

golang.org/x/net/http2:

Before 0.4.0 is affected.

Exploit Probability

EPSS

0.28%

Percentile

50.82%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Go HTTP/2 Server: Excessive Memory via Large Header KeysCVE-2022-41717 Published on December 8, 2022

Products Associated with CVE-2022-41717

Affected Versions

Exploit Probability

Go HTTP/2 Server: Excessive Memory via Large Header Keys
CVE-2022-41717 Published on December 8, 2022