Panic due to large headers in net/http and golang.org/x/net/http/httpguts
Overview
Source
ID
GO-2022-0236
Aliases
BIT-golang-2021-31525
CVE-2021-31525
GHSA-h86h-8ppg-mxmh
Affected package
Description
A malicious HTTP server or client can cause the net/http client or server to panic.
ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
Summary
70.60k
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
9.70k
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
5.27%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.0.0-20210428140749-89ef3d95e781
Patched/Unaffected
Affected