CVE-2022-41721
published 2023-01-13CVE-2022-41721: A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.81%
76.0th percentile
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-golang-x-net | < golang-golang-x-net 1:0.4.0+dfsg-1 (bookworm) | golang-golang-x-net 1:0.4.0+dfsg-1 (bookworm) |
| golang.org | x_net | >= 0.0.0-20220524220425-1d687d428aca < 0.1.1-0.20221104162952-702349b0e862 | 0.1.1-0.20221104162952-702349b0e862 |
| golang.org | x_net_golang.org_x_net_http2_h2c | >= 0.0.0-20220524220425-1d687d428aca < 0.1.1-0.20221104162952-702349b0e862 | 0.1.1-0.20221104162952-702349b0e862 |
| golang | h2c | < 2022-11-04 | 2022-11-04 |
| msrc | cbl2_opa_0.50.2-5_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
osv·2023-01-14
CVE-2022-41721 [HIGH] golang.org/x/net/http2/h2c vulnerable to request smuggling attack
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
### Specific Go Packages Affected
golang.org/x/net/http2/h2c
GHSA
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
ghsa·2023-01-14
CVE-2022-41721 [HIGH] CWE-444 golang.org/x/net/http2/h2c vulnerable to request smuggling attack
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
### Specific Go Packages Affected
golang.org/x/net/http2/h2c
OSV
CVE-2022-41721: A request smuggling attack is possible when using MaxBytesHandler
osv·2023-01-13·CVSS 7.5
CVE-2022-41721 [HIGH] CVE-2022-41721: A request smuggling attack is possible when using MaxBytesHandler
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
OSV
Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
osv·2023-01-13
CVE-2022-41721 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
A request smuggling attack is possible when using MaxBytesHandler.
When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Red Hat
x/net/http2/h2c: request smuggling
vendor_redhat·2023-01-13·CVSS 7.5
CVE-2022-41721 [HIGH] CWE-444 x/net/http2/h2c: request smuggling
x/net/http2/h2c: request smuggling
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Statement: This moderate severity flaw was found in golang.org/x/net/http2/h2c
Microsoft
Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
vendor_msrc·2023-01-10·CVSS 7.5
CVE-2022-41721 [HIGH] CWE-444 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Refer
Debian
CVE-2022-41721: golang-golang-x-net - A request smuggling attack is possible when using MaxBytesHandler. When using Ma...
vendor_debian·2022·CVSS 7.5
CVE-2022-41721 [HIGH] CVE-2022-41721: golang-golang-x-net - A request smuggling attack is possible when using MaxBytesHandler. When using Ma...
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Scope: local
bookworm: resolved (fixed in 1:0.4.0+dfsg-1)
bullseye: resolved
forky: resolved (fixed in 1:0.4.0+dfsg-1)
sid: resolved (fixed in 1:0.4.0+dfsg-1)
trixie: resolved (fixed in 1:0.4.0+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://go.dev/cl/447396https://go.dev/issue/56352https://lists.fedoraproject.org/archives/list/[email protected]/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/https://lists.fedoraproject.org/archives/list/[email protected]/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/https://pkg.go.dev/vuln/GO-2023-1495https://go.dev/cl/447396https://go.dev/issue/56352https://lists.fedoraproject.org/archives/list/[email protected]/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/https://lists.fedoraproject.org/archives/list/[email protected]/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/https://pkg.go.dev/vuln/GO-2023-1495
2023-01-13
Published