CVE-2023-39325
Denial-of-Service (DoS) vulnerability in golang.org/x/net

Denial-of-Service (DoS) No known exploit

What is CVE-2023-39325 About?

A malicious HTTP/2 client can trigger a Denial-of-Service (DoS) by rapidly creating and resetting requests, overwhelming server resources. While the server limits concurrent streams, resetting requests allows the attacker to bypass this, keeping the server busy without exceeding the hard limit. This is a highly effective attack due to resource asymmetry.

Affected Software

  • golang.org/x/net
    • <0.17.0
  • stdlib
    • <1.20.10

Technical Details

This Denial-of-Service (DoS) vulnerability is a variant of the HTTP/2 Rapid Reset attack, where a malicious client exploits the HTTP/2 stream management. The `http2.Server.MaxConcurrentStreams` setting limits the total number of live requests. However, by sending a request and immediately resetting it (`RST_STREAM`), the client can free up a 'stream slot' while the server might still be processing the request internally. This allows the client to continually queue new requests without exceeding the apparent stream limit, effectively creating an unbounded workload for the server. The server must then allocate resources and process these requests, even if they are later canceled, leading to resource exhaustion (e.g., CPU, memory, goroutines in Go applications). The fix bounds simultaneously executing handler goroutines to `MaxConcurrentStreams`, queuing new requests and terminating connections if the queue grows too large.

What is the Impact of CVE-2023-39325?

Successful exploitation may allow attackers to cause a denial-of-service condition, leading to service unavailability, degraded performance, and resource exhaustion on the targeted server.

What is the Exploitability of CVE-2023-39325?

Exploitation of this HTTP/2 DoS vulnerability is of low to moderate complexity. An attacker requires only a client capable of initiating HTTP/2 connections and sending requests that are immediately followed by reset frames. No authentication is typically required, as this attack targets the basic stream handling of HTTP/2. No special privileges are needed. The attack is remote, operating over the network against the HTTP/2 server endpoint. The primary conditions for successful exploitation are a server that processes canceled requests significantly before acting on the reset, and an insufficient mechanism to queue new requests or terminate connections when load is excessive. The risk increases for publicly exposed HTTP/2 services, especially those with high performance expectations, where a large number of concurrent, 'ghost' requests can quickly exhaust resources.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-39325?

Available Upgrade Options

  • stdlib
    • <1.20.10 → Upgrade to 1.20.10
  • golang.org/x/net
    • <0.17.0 → Upgrade to 0.17.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-39325?

Similar Vulnerabilities: CVE-2023-44487 , CVE-2019-9511 , CVE-2019-9512 , CVE-2019-9513 , CVE-2019-9514

All Rights reserved 2025
Privacy Policy