{"id":"CVE-2023-45288","details":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.","aliases":["BIT-golang-2023-45288","GHSA-4v7x-pqxf-cx7m","GO-2024-2687"],"modified":"2026-04-10T05:03:23.478733Z","published":"2024-04-04T21:15:16Z","related":["ALSA-2024:1962","ALSA-2024:1963","ALSA-2024:2079","ALSA-2024:2562","ALSA-2024:2699","ALSA-2024:2724","ALSA-2024:3259","ALSA-2024:3346","CGA-cp2m-4m66-fgvg","MGASA-2024-0128","RLSA-2024:2562","RLSA-2024:3259","SUSE-SU-2024:1121-1","SUSE-SU-2024:1122-1","SUSE-SU-2024:1160-1","SUSE-SU-2024:1161-1","SUSE-SU-2024:2108-1","SUSE-SU-2024:3089-1","SUSE-SU-2024:3097-1","SUSE-SU-2024:3098-1","SUSE-SU-2024:3155-1","SUSE-SU-2024:3188-1","SUSE-SU-2024:3341-1","SUSE-SU-2024:3342-1","SUSE-SU-2024:3343-1","SUSE-SU-2024:3344-1","SUSE-SU-2024:3755-1","SUSE-SU-2024:3772-1","SUSE-SU-2024:3938-1","SUSE-SU-2025:01985-1","SUSE-SU-2025:01987-1","SUSE-SU-2025:01988-1","SUSE-SU-2025:01989-1","SUSE-SU-2025:01990-1","SUSE-SU-2025:01991-1","SUSE-SU-2025:01992-1","SUSE-SU-2025:0295-1","SUSE-SU-2025:0299-1","SUSE-SU-2025:0306-1","SUSE-SU-2025:0313-1","SUSE-SU-2025:0318-1","SUSE-SU-2025:0342-1","SUSE-SU-2025:0346-1","SUSE-SU-2025:0420-1","SUSE-SU-2025:0458-1","SUSE-SU-2025:0558-1","SUSE-SU-2025:0579-1","SUSE-SU-2025:0581-1","SUSE-SU-2025:0775-1","SUSE-SU-2025:0813-1","SUSE-SU-2025:1332-1","SUSE-SU-2025:20091-1","SUSE-SU-2025:20143-1","SUSE-SU-2025:20179-1","SUSE-SU-2025:20279-1","SUSE-SU-2025:20363-1","SUSE-SU-2026:20483-1","SUSE-SU-2026:20486-1","openSUSE-SU-2024:13822-1","openSUSE-SU-2024:13823-1","openSUSE-SU-2024:13824-1","openSUSE-SU-2024:13837-1","openSUSE-SU-2024:13880-1","openSUSE-SU-2024:13881-1","openSUSE-SU-2024:13882-1","openSUSE-SU-2024:13903-1","openSUSE-SU-2024:13905-1","openSUSE-SU-2024:13927-1","openSUSE-SU-2024:13989-1","openSUSE-SU-2024:14053-1","openSUSE-SU-2024:14076-1","openSUSE-SU-2024:14399-1","openSUSE-SU-2024:14400-1","openSUSE-SU-2025:14709-1","openSUSE-SU-2025:14714-1","openSUSE-SU-2025:14744-1","openSUSE-SU-2025:14990-1","openSUSE-SU-2025:15075-1","openSUSE-SU-2025:15145-1","openSUSE-SU-2025:15162-1","openSUSE-SU-2026:10090-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240419-0009/"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/04/03/16"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/04/05/4"},{"type":"WEB","url":"https://go.dev/cl/576155"},{"type":"WEB","url":"https://go.dev/issue/65051"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2024-2687"}],"schema_version":"1.7.5"}