CVE-2023-45288 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) found in the Go standard library's net/http package, specifically impacting HTTP/2 endpoints. The issue arises because the HTTP/2 protocol uses HEADERS and CONTINUATION frames to transmit header data, and the Go implementation maintains HPACK state by parsing all these frames. When a request's headers exceed the configured MaxHeaderBytes limit, the server rejects the request but continues to parse all header frames without allocating memory for the excess data. This parsing includes decoding Huffman-encoded headers, which is computationally expensive for the server but relatively cheap for the attacker to send. An attacker can exploit this by sending a large number of CONTINUATION frames with excessive header data, forcing the server to consume excessive CPU and memory resources, potentially leading to denial of service. The vulnerability affects all Go versions before 1.22.0. The patch for this vulnerability introduces a limit on the amount of excess header frames processed, closing the connection once the limit is exceeded to prevent resource exhaustion. The vulnerability has a CVSS score of 7.5 (high severity), with no privileges or user interaction required, and network attack vector, making it relatively easy to exploit remotely. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk of denial of service attacks against services built using the Go standard library's net/http package with HTTP/2 enabled. Organizations running web servers, APIs, or microservices in Go versions prior to 1.22.0 could experience service outages or degraded performance if targeted by attackers exploiting this vulnerability. This could impact critical infrastructure, financial services, e-commerce platforms, and public sector services that rely on Go-based HTTP/2 servers. The resource exhaustion could lead to increased operational costs, loss of availability, and potential cascading failures in dependent systems. Given the ease of exploitation and lack of required authentication, attackers can launch these attacks remotely, increasing the threat surface. Additionally, the vulnerability could be leveraged as part of larger multi-vector attacks or to distract defenders while other attacks are conducted. The absence of known exploits in the wild suggests that proactive patching can effectively mitigate risk before widespread exploitation occurs.

European organizations should immediately assess their use of the Go standard library net/http package, particularly for HTTP/2 endpoints, and identify any services running Go versions prior to 1.22.0. The primary mitigation is to upgrade all affected Go runtime environments to version 1.22.0 or later, where the vulnerability is fixed by limiting the processing of excess header frames. Until upgrades can be applied, organizations should consider implementing network-level protections such as rate limiting and anomaly detection on HTTP/2 traffic to detect and block excessive CONTINUATION frames. Web application firewalls (WAFs) and intrusion prevention systems (IPS) should be configured to monitor for abnormal header frame patterns. Additionally, monitoring resource utilization on Go-based HTTP/2 servers can help detect early signs of exploitation attempts. Organizations should also review and tighten MaxHeaderBytes settings to reasonable limits and ensure logging is enabled for HTTP/2 connections to facilitate incident response. Finally, security teams should stay informed on any emerging exploits or patches related to this vulnerability.