---

Introduction

In 2022, a critical vulnerability, CVE-2022-41723, was found in the handling of HTTP/2 in Golang’s standard library. This bug allowed attackers to use specifically crafted HTTP/2 streams to consume excessive CPU resources during HPACK (Header Compression) decoding. Even a small number of requests could overwhelm and potentially bring down a server.  
This post will explain how the CVE works, provide code samples, show an example exploit, and share links to official references.


## What Is HPACK in HTTP/2?

HPACK is the name for the header compression scheme used in HTTP/2. By compressing repetitive header fields, HTTP/2 reduces bandwidth usage while maintaining low latency. Unfortunately, the HPACK decoder in affected servers could be *tricked* into using *lots* of CPU, all by sending tricky compressed headers—even if the requests themselves were tiny.

The Heart of CVE-2022-41723

When a server using a vulnerable version of the Go HTTP/2 library gets an HTTP/2 request with “evil” header compression, the HPACK decoder goes into overdrive. A clever attacker can exploit this to create a denial of service (DoS) situation.

Affected Systems

- Go's net/http library with HTTP/2 enabled (default since Go 1.6+)

Servers using reverse proxies based on Go (like Caddy, Traefik)

- Any HTTP/2 service using vulnerable Go versions

A Real Example: Overloading the HPACK Decoder

Let’s get technical. The attack works by deliberately creating headers that force the HPACK decoder to do a huge amount of work for a tiny amount of data.

Suppose you run a Go server (even the default one)

package main

import (
	"fmt"
	"net/http"
)

func helloHandler(w http.ResponseWriter, r *http.Request) {
	fmt.Fprintln(w, "Hello, HTTP/2 world!")
}

func main() {
	http.HandleFunc("/", helloHandler)
	http.ListenAndServeTLS(":443", "server.crt", "server.key", nil) // HTTP/2 enabled by default
}

This looks safe. But if your Go version is vulnerable, a remote attacker can send a stream of specially crafted HTTP/2 requests to kill server performance.

Exploit: Proof-of-Concept Attack

A typical exploit involves sending an HTTP/2 frame with malformed or highly recursive HPACK headers. There are tools, such as h2spec and custom scripts, that can send these frames.

Below is a simplified demonstration using Python and HTTPS to send a "normal" HTTP/2 request. (Note: For real PoC, you need to craft HTTP/2 frames directly—Python’s popular libraries won’t let you create broken HPACK encodings easily, but tools like nghttp2 and Scapy can.)

Python PoC skeleton

import hyper
conn = hyper.HTTP20Connection('vulnerable.server.com', port=443, secure=True)
# The next step would be to send a custom header set crafted to exploit HPACK
# But hyper doesn't let you produce malformed compression.
headers = [
    (':method', 'GET'),
    (':scheme', 'https'),
    (':path', '/'),
    (':authority', 'vulnerable.server.com'),
    ('x-long-header', 'A' * 1_000_000)  # simulate but not exploit
]
conn.request('GET', '/', headers=dict(headers))
resp = conn.get_response()
print(resp.read())

To fully exploit CVE-2022-41723, an attacker would use a custom utility to send header frames that expand exponentially as they’re decompressed.  
The real attack isn't sending *large* headers—it's sending *small* header blocks that, due to HPACK logic, explode in processing cost.

- For a real-world attack, refer to this hpackbomb.py script example.

Official References & Patch

- Official CVE-2022-41723 Report
- Go Project Security Advisory
- Go Patch for net/http2
- Research: HPACK Bombs

If you run Go-based servers, update your software now.

Defense: How to Protect Yourself

- Update Go! Any version before March 7, 2023 (Go 1.19.8/1.20.3) is unsafe.

Conclusion

CVE-2022-41723 is a textbook example of how *tiny requests* can do *massive* damage if a protocol parser isn’t careful. HPACK compression is complex—malicious encodings can make a machine waste seconds or even minutes on a single bad request, leading to a *denial of service*.

Don’t let your server get hpack-bombed. Patch and protect!

More Reading

- OWASP: Denial of Service
- HTTP/2 RFC 7541 (HPACK)


*If you found this post helpful, share it and encourage your sysadmin friends to patch security holes right away!*

Timeline

Published on: 02/28/2023 18:15:00 UTC
Last modified on: 04/12/2023 03:15:00 UTC