CVE-2024-24791
Denial of service due to improper 100-continue handling in net/http
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
El cliente net/http HTTP/1.1 manejó mal el caso en el que un servidor responde a una solicitud con un encabezado "Expect: 100-continue" con un estado no informativo (200 o superior). Este mal manejo podría dejar una conexión de cliente en un estado no válido, donde la siguiente solicitud enviada a la conexión fallará. Un atacante que envía una solicitud a un proxy net/http/httputil.ReverseProxy puede aprovechar este mal manejo para provocar una denegación de servicio enviando solicitudes "Esperar: 100-continuar" que provocan una respuesta no informativa del backend. Cada una de estas solicitudes deja al proxy con una conexión no válida y provoca que falle una solicitud posterior que utiliza esa conexión.
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. Ameya Darshan and Jakob Ackermann discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-01-30 CVE Reserved
- 2024-07-02 CVE Published
- 2024-10-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://go.dev/cl/591255 | ||
| https://go.dev/issue/67555 | ||
| https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ | ||
| https://pkg.go.dev/vuln/GO-2024-2963 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-24791 | 2025-03-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2295310 | 2025-03-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | < 1.21.12 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.12" | en |
Affected
| ||||||
| Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | >= 1.22.0-0 < 1.22.5 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.5" | en |
Affected
| ||||||