golang.org/x/net/http2/h2c vulnerable to request smuggling attack

GHSA-fxg5-wq6x-vr4w · CVE-2022-41721 · GO-2023-1495

Published Jan 14, 2023 · Modified Feb 4, 2026

Description

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Specific Go Packages Affected

golang.org/x/net/http2/h2c

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-41721
PACKAGE https://cs.opensource.google/go/x/net
WEB https://go.dev/cl/447396
WEB https://go.dev/issue/56352
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP
WEB https://pkg.go.dev/vuln/GO-2023-1495

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes