What is CVE-2023-45288?

CVE-2023-45288 is a vulnerability in Golang.org/x/net Golang.org/x/net/http2, classified under CWE-400: UNCONTROLLED RESOURCE CONSUMPTION. Published 2024-04-04.

Is CVE-2023-45288 known to be exploited?

23 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Golang.org/x/net Golang.org/x/net/http2

CVE-2023-45288

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a conne…

EPSS: 0.753 (98.9th percentile) — read the EPSS interpretation.

Affected products

Golang.org/x/net Golang.org/x/net/http2 — versions 0
Go Standard Library Net/http — versions 0, 1.22.0-0

Public proof-of-concept exploits

hex0punk/cont-flood-poc
11notes/docker-github-runner
11notes/docker-paperless-ngx
8-cm/kube-dump
ARPSyndicate/cve-scores
Ampferl/poc_
CodingSimia/jenkins-shiftleft
DrewskyDev/H2Flood
TAMULib/metadb-docker
Vos68/HTTP2-Continuation-Flood-PoC

References

go.dev/issue/65051
go.dev/cl/576155
groups.google.com/g/golang-announce/c/YgW0sx8mN3M
pkg.go.dev/vuln/GO-2024-2687
security.netapp.com/advisory/ntap-20240419-0009/
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
www.openwall.com/lists/oss-security/2024/04/05/4
www.openwall.com/lists/oss-security/2024/04/03/16

Frequently asked questions

What is CVE-2023-45288?: CVE-2023-45288 is a vulnerability in Golang.org/x/net Golang.org/x/net/http2, classified under CWE-400: UNCONTROLLED RESOURCE CONSUMPTION. Published 2024-04-04.
Is CVE-2023-45288 known to be exploited?: 23 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.