{"api_version":"1","generated_at":"2026-04-23T06:20:17+00:00","cve":"CVE-2022-41721","urls":{"html":"https://cve.report/CVE-2022-41721","api":"https://cve.report/api/cve/CVE-2022-41721.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-41721","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-41721"},"summary":{"title":"CVE-2022-41721","description":"A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-01-13 23:15:00","updated_at":"2023-11-07 03:52:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://pkg.go.dev/vuln/GO-2023-1495","name":"https://pkg.go.dev/vuln/GO-2023-1495","refsource":"MISC","tags":[],"title":"GO-2023-1495 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/56352","name":"https://go.dev/issue/56352","refsource":"MISC","tags":[],"title":"x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll · Issue #56352 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: caddy-2.6.4-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/447396","name":"https://go.dev/cl/447396","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/","refsource":"","tags":[],"title":"[SECURITY] Fedora 38 Update: caddy-2.6.4-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-41721","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41721","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"41721","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"h2c","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"go","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-41721","qid":"183725","title":"Debian Security Update for golang-golang-x-net (CVE-2022-41721)"},{"cve":"CVE-2022-41721","qid":"357051","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2024-035"},{"cve":"CVE-2022-41721","qid":"357058","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2024-035"},{"cve":"CVE-2022-41721","qid":"691065","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for traefik (428922c9-b07e-11ed-8700-5404a68ad561)"},{"cve":"CVE-2022-41721","qid":"905281","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for opa (13029)"},{"cve":"CVE-2022-41721","qid":"907409","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for opa (13029-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-41721","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE 444: Inconsistent Interpretation of HTTP Requests (\"HTTP Request/Response Smuggling)"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"golang.org/x/net","product":{"product_data":[{"product_name":"golang.org/x/net/http2/h2c","version":{"version_data":[{"version_affected":"<","version_name":"0.0.0-20220524220425-1d687d428aca","version_value":"0.1.1-0.20221104162952-702349b0e862"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/56352","refsource":"MISC","name":"https://go.dev/issue/56352"},{"url":"https://go.dev/cl/447396","refsource":"MISC","name":"https://go.dev/cl/447396"},{"url":"https://pkg.go.dev/vuln/GO-2023-1495","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1495"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/"}]},"credits":[{"lang":"en","value":"John Howard (Google)"}]},"nvd":{"publishedDate":"2023-01-13 23:15:00","lastModifiedDate":"2023-11-07 03:52:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:h2c:*:*:*:*:*:go:*:*","versionEndExcluding":"2022-11-04","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}