GO-2022-0536
- Source
- https://pkg.go.dev/vuln/GO-2022-0536
- Import Source
- https://vuln.go.dev/ID/GO-2022-0536.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2022-0536
- Aliases
- Published
- 2022-08-01T22:20:53Z
- Modified
- 2024-05-20T16:03:47Z
- Summary
- Reset flood in net/http and golang.org/x/net/http
- Details
-
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.
Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RSTSTREAM frames from the peer. Depending on how the peer queues the RSTSTREAM frames, this can consume excess memory, CPU, or both.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0536" }- References
- Credits
-
-
- Jonathan Looney of Netflix
-
Affected packages
Go / stdlib
Package
- Name
- stdlib
- View open source insights on deps.dev
- Purl
- pkg:golang/stdlib
Go / golang.org/x/net
Package
- Name
- golang.org/x/net
- View open source insights on deps.dev
- Purl
- pkg:golang/golang.org/x/net