What is CVE-2023-39325?

CVE-2023-39325 is a vulnerability affecting the Golang Go programming language and its HTTP/2 package. A malicious HTTP/2 client can exploit this vulnerability by rapidly creating and resetting requests, causing excessive server resource consumption. Systems using the Golang Go programming language (specific versions) and the Golang HTTP/2 package are at risk. The severity of this vulnerability is not yet provided by the National Vulnerability Database.

Who is impacted?

The CVE-2023-39325 vulnerability affects users of the Golang Go programming language and its HTTP/2 package. Specifically, those using Golang Go versions 1.20.0 to 1.20.10 (excluding 1.20.10) and 1.21.0 to 1.21.3 (excluding 1.21.3), as well as Golang HTTP/2 versions up to (excluding) 0.17.0. This vulnerability can be exploited by a malicious HTTP/2 client, causing excessive server resource consumption by rapidly creating and resetting requests. Users of Fedora Project's Fedora 37, 38, and 39 operating systems, and NetApp's Astra Trident and Astra Trident Autosupport software are also affected.

What to do if CVE-2023-39325 affected you

If you're affected by the CVE-2023-39325 vulnerability, it's important to take action to protect your system. Follow these simple steps:

1. Update to the latest version of Go (1.20 or 1.21) to have the vulnerability fixed.

2. Use a recent version of the golang.org/x/net/http2 package and http2.ConfigureServer to replace the standard library's bundled HTTP/2 implementation.

3. Adjust the stream concurrency limit if needed, using the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Is it in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-39325 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This issue, affecting the Golang Go programming language and its HTTP/2 package, can be exploited by a malicious HTTP/2 client to cause excessive server resource consumption. To address this vulnerability, users should apply a fix that limits the number of simultaneously executing handler goroutines and queues new requests when at the limit.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-770, which involves allocation of resources without limits or throttling, affecting the Golang Go programming language and its HTTP/2 package.

Learn More

CVE-2023-39325 is a significant vulnerability affecting the Golang Go programming language and its HTTP/2 package. To learn more about its description, severity, technical details, and known affected software configurations, visit the NVD page or explore the sources below.

• National Vulnerability Database

• Gerrit Code Review

• GitHub (golang/go repository)