Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-31525: net/http: ReadRequest can stack overflow due to recursion with very large headers · Issue #45710 · golang/go

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

CVE
Open in Source
#google#dos#git

Comments

@katiehockman

@odeke-em odeke-em changed the title http: ReadRequest can stack overflow net/http: ReadRequest can stack overflow due to recursion with very large headers

Apr 23, 2021

gopherbot pushed a commit to golang/net that referenced this issue

Apr 28, 2021

@katiehockman

…aderValuesContainsToken

Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Updates golang/go#45710 Updates golang/go#45712

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman [email protected] Run-TryBot: Katie Hockman [email protected] TryBot-Result: Go Bot [email protected] Reviewed-by: Filippo Valsorda [email protected] Reviewed-by: Roland Shoemaker [email protected] (cherry picked from commit 89ef3d9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314649 Reviewed-by: Dmitri Shuralyov [email protected]

gopherbot pushed a commit to golang/net that referenced this issue

Apr 28, 2021

@katiehockman

…esContainsToken

Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Updates golang/go#45710 Updates golang/go#45711

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman [email protected] Run-TryBot: Katie Hockman [email protected] TryBot-Result: Go Bot [email protected] Reviewed-by: Filippo Valsorda [email protected] Reviewed-by: Roland Shoemaker [email protected] (cherry picked from commit 89ef3d9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314650 Reviewed-by: Dmitri Shuralyov [email protected]

AkihiroSuda pushed a commit to containerd/containerd that referenced this issue

May 7, 2021

@tao12345666333

fix [#45710](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang [email protected]

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue

May 8, 2021

@jacmet

Fixes the following security issues:

  • CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

    golang/go#45710

Signed-off-by: Peter Korsgaard [email protected]

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue

May 8, 2021

@jacmet

Fixes the following security issues:

  • CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

    golang/go#45710

Signed-off-by: Peter Korsgaard [email protected]

dmcgowan pushed a commit to dmcgowan/containerd that referenced this issue

May 10, 2021

@tao12345666333@dmcgowan

fix [#45710](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang [email protected] (cherry picked from commit 79d800b) Signed-off-by: Derek McGowan [email protected]

olix0r added a commit to linkerd/linkerd2 that referenced this issue

May 24, 2021

@olix0r

Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710

Go’s error file-line formatting changed in 1.16.3, so this change updates tests to only do suffix matching on these error strings.

olix0r added a commit to linkerd/linkerd2 that referenced this issue

May 24, 2021

@olix0r

Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710

Go’s error file-line formatting changed in 1.16.3, so this change updates tests to only do suffix matching on these error strings.

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue

Sep 14, 2021

@jacmet

Fixes the following security issues:

  • CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

    golang/go#45710

Signed-off-by: Peter Korsgaard [email protected] (cherry picked from commit 1cfc01a) Signed-off-by: Peter Korsgaard [email protected]

thaJeztah pushed a commit to thaJeztah/containerd that referenced this issue

Sep 15, 2021

@tao12345666333@thaJeztah

fix [#45710](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang [email protected] (cherry picked from commit 79d800b) Signed-off-by: Sebastiaan van Stijn [email protected]

fahedouch pushed a commit to fahedouch/containerd that referenced this issue

Oct 15, 2021

@tao12345666333@fahedouch

fix [#45710](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang [email protected]

NET12115 added a commit to NET12115/Golang-C-NET that referenced this issue

Feb 28, 2022

@NET12115

Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Fixes golang/go#45710

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman [email protected] Run-TryBot: Katie Hockman [email protected] TryBot-Result: Go Bot [email protected] Reviewed-by: Filippo Valsorda [email protected] Reviewed-by: Roland Shoemaker [email protected]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE