7.5

CVSS Score

Basic Information

CVE ID

CVE-2023-39325

GHSA ID

GHSA-4374-p667-p6c8

EPSS Score

CWE

CWE-400

Published

10/11/2023

Updated

4/28/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-39325

CVE-2023-39325:
HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2023-39325

GHSA ID

GHSA-4374-p667-p6c8

EPSS Score

CWE

CWE-400

Published

10/11/2023

Updated

4/28/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
golang.org/x/net	go	< 0.17.0	0.17.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs because the HTTP/2 server did not limit the number of concurrently executing handler goroutines when clients rapidly reset streams. The processHeaders function was responsible for initiating these handlers. Before the patch, it would call runHandler in a new goroutine for each request without adequate checks if prior requests were reset mid-flight. The runHandler function is where the resource-consuming work happens. The patch introduces scheduleHandler and handlerDone to implement a queue and limit for these goroutines, modifying processHeaders to use this new scheduling logic and runHandler to signal its completion. Therefore, processHeaders (in its pre-patch state) is the primary function that allows the vulnerability to be triggered, and runHandler is the function whose uncontrolled concurrent execution leads to resource exhaustion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* m*li*ious *TTP/* *li*nt w*i** r*pi*ly *r**t*s r*qu*sts *n* imm**i*t*ly r*s*ts t**m **n **us* *x**ssiv* s*rv*r r*sour** *onsumption. W*il* t** tot*l num**r o* r*qu*sts is *oun*** *y t** *ttp*.S*rv*r.M*x*on*urr*ntStr**ms s*ttin*, r*s*ttin* *n in-pro*

Reasoning

T** vuln*r**ility o**urs ****us* t** *TTP/* s*rv*r *i* not limit t** num**r o* *on*urr*ntly *x**utin* **n*l*r *oroutin*s w**n *li*nts r*pi*ly r*s*t str**ms. T** `pro**ss*****rs` *un*tion w*s r*sponsi*l* *or initi*tin* t**s* **n*l*rs. ***or* t** p*t**

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-39325: HTTP/2 rapid reset can cause excessive work in net/http

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-39325:
HTTP/2 rapid reset can cause excessive work in net/http

Vulnerability Intelligence
Miggo AI