golang.org/x/net/http2/h2c is vulnerable to HTTP Request Smuggling. The vulnerability exists in the h2cUpgrade
function of h2c.go
because it does not properly handle errors when reading the HTTP2 frames from the HTTP/1 request body using MaxBytesHandler
, which allows an attacker to send arbitrary HTTP2 requests to the server.
github.com/advisories/GHSA-fxg5-wq6x-vr4w
github.com/golang/go/issues/56352
github.com/golang/net/commit/702349b0e8628371f0e5ba0c10407448d60a67b1
go-review.googlesource.com/c/net/+/447396
go.dev/cl/447396
go.dev/issue/56352
lists.fedoraproject.org/archives/list/[email protected]/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/
lists.fedoraproject.org/archives/list/[email protected]/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/
pkg.go.dev/vuln/GO-2023-1495