OpenBao Secrets Operator Exposed to HTTP/2 CONTINUATION Flood Attack (GO-2024-2687)

A critical security flaw in the OpenBao Secrets Operator's main branch exposes systems to a resource exhaustion attack via the HTTP/2 protocol. The vulnerability, identified as GO-2024-2687, allows a malicious actor to force an HTTP/2 endpoint to parse and process "arbitrary amounts" of header data by bombarding it with an excessive number of CONTINUATION frames. This attack vector is classified as "REACHABLE" by the govulncheck security tool, indicating the vulnerable code path is active and exploitable in the deployed software.

The core of the exploit lies in how the `net/http` library handles header size limits. While the system correctly rejects requests where headers exceed the `MaxHeaderBytes` limit, it fails to stop parsing the incoming data stream. An attacker can send a flood of CONTINUATION frames containing Huffman-encoded headers, which are computationally expensive for the server to decode. This creates a significant asymmetry: the cost for the attacker to send the attack is low, but the victim server is forced to expend substantial CPU resources parsing headers for a request it will ultimately reject, leading to a potential denial-of-service condition.

The vulnerability has been patched in version v0.23.0 of the openbao/openbao-secrets-operator. Any deployment running a version prior to this fix remains vulnerable to this low-cost, high-impact attack that could degrade or cripple service availability by exhausting server resources. The finding underscores the persistent risks in foundational networking libraries and the critical need for operators of secrets management infrastructure to apply security updates promptly.