CVE-2022-41721

Public Exploit

Request smuggling due to improper request handling in golang.org/x/net/http2/h2c

Description

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

References

Link	Tags
https://go.dev/issue/56352	issue tracking patch vendor advisory exploit
https://go.dev/cl/447396	patch vendor advisory
https://pkg.go.dev/vuln/GO-2023-1495	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/

Frequently Asked Questions

What is the severity of CVE-2022-41721?: CVE-2022-41721 has been scored as a high severity vulnerability.
How to fix CVE-2022-41721?: To fix CVE-2022-41721, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-41721 being actively exploited in the wild?: It is possible that CVE-2022-41721 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-41721?: CVE-2022-41721 affects golang.org/x/net golang.org/x/net/http2/h2c.

Description

Category

CWE-444 – Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

References

Frequently Asked Questions