CVE-2023-45288
HTTP/2 CONTINUATION flood in net/http
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Un atacante puede hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado enviando una cantidad excesiva de tramas de CONTINUACIÓN. Mantener el estado de HPACK requiere analizar y procesar todos los encabezados y tramas de CONTINUACIÓN en una conexión. Cuando los encabezados de una solicitud exceden MaxHeaderBytes, no se asigna memoria para almacenar los encabezados sobrantes, pero aún así se analizan. Esto permite a un atacante hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado, todos asociados con una solicitud que será rechazada. Estos encabezados pueden incluir datos codificados por Huffman, cuya decodificación es significativamente más costosa para el receptor que para el atacante. La solución establece un límite en la cantidad de fotogramas de encabezado excedentes que procesaremos antes de cerrar una conexión.
A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.
This update for kubernetes1.23 fixes the following issues. Escape, meta and control sequences in raw data output to terminal not neutralized. Bypass of policies imposed by the ImagePolicyWebhook admission plugin. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Go1.20: excessive resource consumption when dealing with rapid stream resets. Google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. Golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers. Kube-controller-manager pod crash when processing malformed HPA v1 manifests. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. Bug fixes. Use -trimpath in non-DBG mode for reproducible builds. Fixed multiple issues for successful 'kubeadm init' run. Update go to version 1.22.5 in build requirements.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-10-06 CVE Reserved
- 2024-04-04 CVE Published
- 2024-10-23 First Exploit
- 2025-02-13 CVE Updated
- 2025-07-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (11)
URL | Date | SRC |
---|---|---|
https://github.com/hex0punk/cont-flood-poc | 2024-10-23 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-45288 | 2025-05-28 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2268273 | 2025-05-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | < 1.21.9 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.9" | en |
Affected
| ||||||
Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | >= 1.22.0-0 < 1.22.2 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.2" | en |
Affected
| ||||||
Golang.org/x/net Search vendor "Golang.org/x/net" | Golang.org/x/net/http2 Search vendor "Golang.org/x/net" for product "Golang.org/x/net/http2" | < 0.23.0 Search vendor "Golang.org/x/net" for product "Golang.org/x/net/http2" and version " < 0.23.0" | en |
Affected
|