golang.org/x/net/http2

Go4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting golang.org/x/net/http2page 1 of 1

CVE-2021-44716HIGHCVSS 7.5EG 7.5✓ Fixed in 0.0.0-20211209124913-491a49abca63
2022-01-01
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2022-27664HIGHCVSS 7.5EG 7.5✓ Fixed in 0.0.0-20220906165146-f3363e06e74c
2022-09-06
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-41717MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.4.0
2022-12-08
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacke…
CVE-2023-45288HIGHCVSS 7.5EG 7.5✓ Fixed in 0.23.0
2024-04-04
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a conne…

Check whether golang.org/x/net/http2 is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for golang.org/x/net/http2 CVEs against the assets you own.

Start Free Scan →