CVE-2021-31525 Overview
CVE-2021-31525 is a denial of service vulnerability in Go's net/http package that allows remote attackers to cause a panic by sending a large header to ReadRequest or ReadResponse functions. The vulnerability affects Go versions before 1.15.12 and 1.16.x before 1.16.4, impacting Server, Transport, and Client components in certain configurations.
Critical Impact
Remote attackers can crash Go-based HTTP servers, proxies, and clients by sending specially crafted HTTP requests with oversized headers, leading to service unavailability.
Affected Products
- Golang Go (versions before 1.15.12)
- Golang Go (versions 1.16.x before 1.16.4)
- Fedora Project Fedora 34
Discovery Timeline
- 2021-05-27 - CVE-2021-31525 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-31525
Vulnerability Analysis
This vulnerability stems from improper handling of HTTP headers within the net/http package in Go. When processing HTTP requests or responses, the ReadRequest and ReadResponse functions fail to properly validate the size of incoming headers before processing them. This can lead to uncontrolled resource consumption and ultimately a panic condition that crashes the application.
The vulnerability is classified under CWE-674 (Uncontrolled Recursion), indicating that the underlying issue relates to how the header parsing logic handles deeply nested or excessively large input data. When a maliciously crafted HTTP message with an oversized header is received, the parsing mechanism can enter a state that triggers a panic, terminating the Go process.
Root Cause
The root cause lies in the insufficient bounds checking within the HTTP header parsing routines. The ReadRequest and ReadResponse functions in the net/http package did not implement adequate safeguards against excessively large header values. This allows an attacker to send headers that exceed expected size limits, causing resource exhaustion that manifests as a runtime panic.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker constructs an HTTP request or response containing an abnormally large header field and sends it to a vulnerable Go application. The attack scenarios include:
- Server Attack: Sending a malicious HTTP request with an oversized header to a Go HTTP server
- Client Attack: A malicious server responding with oversized headers to a Go HTTP client
- Transport Attack: Exploiting Go applications using custom HTTP transports that process untrusted HTTP messages
The attack complexity is considered high because specific conditions must be met for successful exploitation, such as the target application not having implemented additional size limits on incoming data.
Detection Methods for CVE-2021-31525
Indicators of Compromise
- Unexpected application crashes or panics in Go-based HTTP services
- Log entries indicating panic conditions in net/http package functions
- Network traffic containing HTTP requests or responses with abnormally large header sizes
- Service availability issues for Go applications handling HTTP traffic
Detection Strategies
- Monitor for Go runtime panic events in application logs, specifically those originating from net/http package
- Implement network intrusion detection rules to flag HTTP traffic with headers exceeding normal size thresholds (e.g., headers larger than 1MB)
- Track application crash frequencies and correlate with incoming HTTP traffic patterns
- Use endpoint detection and response (EDR) solutions to identify process terminations consistent with panic conditions
Monitoring Recommendations
- Configure alerting on Go application crashes with stack traces mentioning ReadRequest or ReadResponse
- Establish baseline metrics for HTTP header sizes in your environment and alert on anomalies
- Monitor system resource utilization (memory, CPU) for spikes that may precede crash events
- Implement centralized logging to correlate crash events across multiple Go-based services
How to Mitigate CVE-2021-31525
Immediate Actions Required
- Upgrade Go to version 1.15.12 or later for the 1.15.x branch
- Upgrade Go to version 1.16.4 or later for the 1.16.x branch
- Recompile all Go applications using the patched Go version
- Review and apply vendor-specific patches for Fedora 34 users
Patch Information
The Go development team addressed this vulnerability in Go versions 1.15.12 and 1.16.4. Users should update their Go installation and rebuild affected applications. For detailed information about the fix, refer to the GitHub Issue Discussion and the Google Groups Announcement. Fedora users should apply updates as announced in the Fedora Package Announcement.
Workarounds
- Implement reverse proxy or web application firewall (WAF) rules to limit incoming HTTP header sizes
- Configure load balancers to reject requests with headers exceeding reasonable size thresholds
- Deploy network-level protections to filter HTTP traffic with abnormally large headers before it reaches Go applications
- Consider implementing application-level header size validation as an additional defense layer
# Example: Configure nginx as a reverse proxy with header size limits
# Add to nginx server configuration to limit header buffer size
large_client_header_buffers 4 16k;
client_header_buffer_size 4k;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
