Skip to content

net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) #57855

New issue
New issue
Closed
Unity-and-wireless-communications/net
#14
Closed
net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)#57855
Unity-and-wireless-communications/net
#14
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
Go1.21
@neild

Description

@neild
neild
opened on Jan 17, 2023

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

This issue is also fixed in golang.org/x/net/http2, for users manually configuring HTTP/2.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is a PRIVATE issue for CVE-2022-41723, tracked in http://b/262602307 and fixed by http://tg/1688184.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions