Approved changes feed: RSS · Atom
cpe:2.3:a:go_standard_library:net\/http:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Go Standard Library (50bc78d3-15d0-59a4-bc22-a964570e0614) |
|---|---|
| Product | Net/Http (946477f3-4e91-5cd0-a6d0-4366b8769286) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-45288 |
vulnerable | 2026-06-03 14:53:07.911951 |
HTTP/2 CONTINUATION flood in net/http
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Published: 2024-04-04T20:37:30.714Z
Updated: 2025-11-04T18:17:43.583Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.