QwikSec

Security Database

CVE

CWE

Training

CVE-2022-41721

Published: Jan 13, 2023

Modified: Apr 4, 2025

PUBLISHED

Description

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Vendor	Product	Versions
golang.org/x/net	golang.org/x/net/http2/h2c	affected `0.0.0-20220524220425-1d687d428aca - < 0.1.1-0.20221104162952-702349b0e862`

References

https://go.dev/issue/56352

https://go.dev/cl/447396

https://pkg.go.dev/vuln/GO-2023-1495

https://lists.fedoraproject.org/archives/list/[email protected]/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/

https://lists.fedoraproject.org/archives/list/[email protected]/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.