Excessive memory growth in net/http and golang.org/x/net/http2

Overview

Source
ID
GO-2022-1144
Aliases
BIT-golang-2022-41717
CVE-2022-41717
GHSA-xrjj-mj9h-534m
Affected package

Description

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Summary

111.62k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
13.42k
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
8.47%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.4.0
Patched/Unaffected
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
Affected