A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }
{ "imports": [ { "path": "net/http", "symbols": [ "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "ListenAndServe", "ListenAndServeTLS", "Post", "PostForm", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "Transport.RoundTrip" ] } ] }
{ "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "ClientConn.Close", "ClientConn.Ping", "ClientConn.RoundTrip", "ClientConn.Shutdown", "ConfigureServer", "ConfigureTransport", "ConfigureTransports", "ConnectionError.Error", "ErrCode.String", "FrameHeader.String", "FrameType.String", "FrameWriteRequest.String", "Framer.ReadFrame", "Framer.WriteContinuation", "Framer.WriteData", "Framer.WriteDataPadded", "Framer.WriteGoAway", "Framer.WriteHeaders", "Framer.WritePing", "Framer.WritePriority", "Framer.WritePushPromise", "Framer.WriteRSTStream", "Framer.WriteRawFrame", "Framer.WriteSettings", "Framer.WriteSettingsAck", "Framer.WriteWindowUpdate", "GoAwayError.Error", "ReadFrameHeader", "Server.ServeConn", "Setting.String", "SettingID.String", "SettingsFrame.ForeachSetting", "StreamError.Error", "Transport.CloseIdleConnections", "Transport.NewClientConn", "Transport.RoundTrip", "Transport.RoundTripOpt", "bufferedWriter.Flush", "bufferedWriter.Write", "chunkWriter.Write", "clientConnPool.GetClientConn", "connError.Error", "dataBuffer.Read", "duplicatePseudoHeaderError.Error", "gzipReader.Close", "gzipReader.Read", "headerFieldNameError.Error", "headerFieldValueError.Error", "noDialClientConnPool.GetClientConn", "noDialH2RoundTripper.RoundTrip", "pipe.Read", "priorityWriteScheduler.CloseStream", "priorityWriteScheduler.OpenStream", "pseudoHeaderError.Error", "requestBody.Close", "requestBody.Read", "responseWriter.Flush", "responseWriter.FlushError", "responseWriter.Push", "responseWriter.SetReadDeadline", "responseWriter.SetWriteDeadline", "responseWriter.Write", "responseWriter.WriteHeader", "responseWriter.WriteString", "serverConn.CloseConn", "serverConn.Flush", "stickyErrWriter.Write", "transportResponseBody.Close", "transportResponseBody.Read", "writeData.String" ] }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] }