OpenBao Secrets Operator: HTTP/2 CONTINUATION Flood Vulnerability (GO-2024-2687) Exposes Denial-of-Service Risk

A critical security flaw in the OpenBao Secrets Operator's main branch exposes systems to a resource exhaustion attack. The vulnerability, identified as GO-2024-2687, allows a malicious actor to force an HTTP/2 endpoint to parse and decode arbitrary amounts of header data by sending an excessive stream of CONTINUATION frames. This attack vector is classified as "REACHABLE" by govulncheck, indicating a direct path for exploitation.

The flaw resides in the `net/http` package. The attack leverages the fact that an HTTP/2 server must maintain HPACK state, requiring it to parse all HEADERS and CONTINUATION frames on a connection. Crucially, even when a request's headers exceed the configured `MaxHeaderBytes` limit—triggering a rejection—the server still parses the excess data. This creates a scenario where an attacker can bombard a server with computationally expensive, Huffman-encoded headers in a request destined to be denied, forcing the receiver to expend significant resources on decoding with minimal cost to the attacker.

The primary risk is a denial-of-service condition, where targeted systems could be overwhelmed by the processing load, degrading or crippling service availability. The vulnerability has been patched in version v0.23.0 of the openbao/openbao-secrets-operator. Organizations and developers using earlier versions are under immediate pressure to update to mitigate this exploitable security weakness.