[](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
Description:
The net/http package in Go is used for handling HTTP requests and responses.
HTTP/2 is a binary protocol where the client and server exchange binary frames instead of text lines as in HTTP/1.x. HTTP/2 resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.
The HEADERS frame type allows sending HTTP headers of, both, request and response. The HEADERS frame contains many flags.
The CONTINUATION frame type is similar to the HEADER frame, but it has just one flag: END_HEADERS. When it is not set, the peer knows that more headers are coming in the following CONTINUATION frames.
This mechanism allows an attacker to send an HTTP/2 stream with CONTINUATION frames, without setting the END_HEADERS flag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.
Though the net/http package uses HTTP/2 by default, a Golang web server must have HTTPS configured to be vulnerable to exploitation.
The x/net/http2 package is vulnerable by default.
Remediation:
Development mitigations
From Golang version 1.6, the net/http package is using the HTTP/2 protocol by default when using HTTPS. You can disable HTTP/2 by setting Server.TLSNextProto (for servers) to a non-nil, empty map.
For example:
package main
import (
"log"
"net/http"
"crypto/tls"
)
func main() {
m := http.NewServeMux()
srv := &http.Server{
Handler: m,
Addr: "127.0.0.1:8080",
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
}
log.Fatal(srv.ListenAndServe())
}
Alternatively, the following GODEBUG settings are also supported, which disables the HTTP/2 server support:
📦 Vulnerable Dependencies
✍️ Summary
Medium | github.com/jfrog/jfrog-client-go:v1.40.1
golang.org/x/net:v0.22.0 | golang.org/x/net v0.22.0 | [0.23.0] | CVE-2023-45288 |
🔬 Research Details
Description: The
net/httppackage in Go is used for handling HTTP requests and responses.HTTP/2is a binary protocol where the client and server exchange binary frames instead of text lines as inHTTP/1.x.HTTP/2resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.The
HEADERSframe type allows sending HTTP headers of, both, request and response. TheHEADERSframe contains many flags. TheCONTINUATIONframe type is similar to theHEADERframe, but it has just one flag:END_HEADERS. When it is not set, the peer knows that more headers are coming in the followingCONTINUATIONframes.This mechanism allows an attacker to send an
HTTP/2stream withCONTINUATIONframes, without setting theEND_HEADERSflag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.Though the
net/httppackage uses HTTP/2 by default, a Golang web server must have HTTPS configured to be vulnerable to exploitation. Thex/net/http2package is vulnerable by default.Remediation:
Development mitigations
From Golang version 1.6, the
net/httppackage is using theHTTP/2protocol by default when using HTTPS. You can disable HTTP/2 by settingServer.TLSNextProto(for servers) to a non-nil, empty map.For example:
Alternatively, the following GODEBUG settings are also supported, which disables the HTTP/2 server support: