CVE-2022-41723 Overview
CVE-2022-41723 is a denial of service vulnerability affecting Go's HTTP/2 implementation, specifically within the HPACK decoder component. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. This vulnerability poses a significant risk to any Go-based web server or application utilizing HTTP/2, as attackers can exploit it remotely without authentication to exhaust server resources.
Critical Impact
Remote attackers can cause complete service unavailability by sending specially crafted HTTP/2 requests that trigger excessive CPU consumption in the HPACK decoder, requiring minimal resources on the attacker's side.
Affected Products
- Golang Go (versions prior to patched releases)
- Golang HPACK module
- Golang HTTP2 module
Discovery Timeline
- February 28, 2023 - CVE-2022-41723 published to NVD
- May 5, 2025 - Last updated in NVD database
Technical Details for CVE-2022-41723
Vulnerability Analysis
This vulnerability resides in Go's net/http2/hpack package, which handles HPACK header compression for HTTP/2 connections. HPACK is the compression format used to efficiently encode HTTP headers in HTTP/2. The flaw allows an attacker to craft malicious HTTP/2 streams that exploit inefficiencies in the HPACK decoder's processing logic.
When processing these specially crafted streams, the decoder enters a state of excessive CPU consumption. The vulnerability is particularly concerning because the attack requires minimal bandwidth and resources from the attacker's perspective—a small number of small requests can be sufficient to degrade or completely deny service to legitimate users.
The vulnerability affects any Go application that accepts HTTP/2 connections, including web servers, API gateways, microservices, and reverse proxies built with Go's standard library or the golang.org/x/net/http2 package.
Root Cause
The root cause lies in the HPACK decoder's handling of certain compressed header representations. When parsing specific malformed or carefully constructed HPACK-encoded data, the decoder fails to efficiently process the input, leading to algorithmic complexity issues that manifest as excessive CPU usage. This represents a resource exhaustion vulnerability where computational resources are disproportionately consumed relative to the size of the input data.
Attack Vector
The attack is network-based and can be executed remotely without any authentication or user interaction. An attacker needs only to establish an HTTP/2 connection to a vulnerable server and send crafted HPACK-encoded headers. The attack characteristics include:
The attacker initiates HTTP/2 connections to target servers accepting HTTP/2 traffic. Through these connections, malicious HTTP/2 frames containing specially crafted HPACK-encoded headers are transmitted. The server's HPACK decoder processes these headers, consuming excessive CPU cycles. With sufficient malicious requests, the server becomes unresponsive to legitimate traffic.
The asymmetric nature of this attack makes it particularly dangerous—attackers can cause significant impact with minimal resources.
Detection Methods for CVE-2022-41723
Indicators of Compromise
- Unusual CPU spikes on servers handling HTTP/2 traffic, particularly in processes running Go applications
- Abnormal patterns in HTTP/2 connection establishment followed by header-heavy requests with minimal body content
- Service degradation or unresponsiveness correlating with increased HTTP/2 traffic volume
- Log entries indicating connection timeouts or resource exhaustion on HTTP/2 endpoints
Detection Strategies
- Monitor CPU utilization metrics for Go-based services, alerting on sustained high CPU usage without corresponding increases in legitimate throughput
- Implement network traffic analysis to identify anomalous HTTP/2 HPACK-encoded header patterns
- Deploy application performance monitoring (APM) to track request processing times and identify requests causing disproportionate resource consumption
- Use SentinelOne's behavioral AI to detect and flag processes exhibiting resource exhaustion patterns indicative of DoS attacks
Monitoring Recommendations
- Establish baseline metrics for normal HTTP/2 traffic patterns and CPU utilization on Go services
- Configure rate limiting on HTTP/2 connections at the load balancer or reverse proxy level
- Implement connection throttling to limit the impact of potential abuse from single sources
- Review logs from web application firewalls (WAFs) for blocked or flagged HTTP/2 traffic anomalies
How to Mitigate CVE-2022-41723
Immediate Actions Required
- Update Go to version 1.19.6 or 1.20.1 or later, which contain the fix for this vulnerability
- Update the golang.org/x/net/http2 package to version 0.7.0 or later
- Update the golang.org/x/net/http2/hpack package to version 0.7.0 or later
- If immediate patching is not possible, consider temporarily disabling HTTP/2 support and falling back to HTTP/1.1
Patch Information
The Go security team has released patches addressing this vulnerability. The fixes are available in the following changesets:
- Go.dev Change Log Entry #468135 - Initial patch for the HPACK decoder
- Go.dev Change Log Entry #468295 - Additional fixes
For detailed vulnerability information, refer to the Go.dev Vulnerability Report GO-2023-1571. The official announcement is available via the Golang Announcement Group Post.
Multiple Linux distributions have also released updated packages including Fedora, Gentoo, and others. Organizations using containerized Go applications should rebuild container images with patched Go versions.
Workarounds
- Implement rate limiting on incoming HTTP/2 connections to reduce the potential impact of exploitation attempts
- Configure reverse proxies or load balancers in front of Go services to filter and limit HTTP/2 traffic
- Monitor and set resource limits (CPU, memory) for Go processes using container orchestration or system-level controls
- Consider disabling HTTP/2 support temporarily if your application can function adequately over HTTP/1.1
# Verify Go version includes the patch
go version
# Update Go modules to get patched http2/hpack packages
go get -u golang.org/x/net/http2@v0.7.0
go mod tidy
# Rebuild your application with the updated dependencies
go build -o myapp ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
