OpenBao Secrets Operator Exposed to HTTP/2 CONTINUATION Flood Attack (GO-2024-2687)

A critical security vulnerability in the OpenBao Secrets Operator's main branch exposes systems to a resource exhaustion attack. The flaw, identified as GO-2024-2687, allows a malicious actor to force an HTTP/2 endpoint to process arbitrary, excessive amounts of header data by bombarding it with CONTINUATION frames. This attack vector is classified as "REACHABLE," meaning the vulnerable code path is active and exploitable in the deployed software.

The vulnerability resides in the `net/http` package. The core of the exploit lies in how the system handles headers that exceed the `MaxHeaderBytes` limit. While no memory is allocated to store the excess data, the server is still forced to parse and process all HEADERS and CONTINUATION frames to maintain HPACK state. Crucially, an attacker can send Huffman-encoded headers, which are computationally cheap to generate but extremely expensive for the targeted server to decode. This creates a severe asymmetry, enabling a denial-of-service attack that consumes server resources to process a request that will ultimately be rejected.

The issue has been patched in version v0.23.0 of the openbao/openbao-secrets-operator. Organizations and developers using earlier versions are at immediate risk. This vulnerability highlights the persistent security challenges in foundational HTTP/2 implementations and underscores the operational risk for any service relying on this operator for secret management, as it could be leveraged to cripple availability.