This page collects WhisperX intelligence signals tagged #HTTP/2. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A reachable vulnerability has been identified in the openbao/openbao-secrets-operator repository on the main branch. The vulnerability is tracked as GO-2024-2687 and is fixed in version v0.23.0. The issue is an HTTP/2 CONTINUATION flood in the net/http package. An attacker can cause an HTTP/2 endpoint to read arbitrary...
A newly disclosed vulnerability in the HTTP/2 protocol, dubbed 'MadeYouReset,' has triggered a critical security update for a core Java networking library. The flaw, cataloged as CVE-2025-55163, is a logical vulnerability that enables a novel form of DDoS attack. It exploits malformed HTTP/2 control frames to bypass th...
A critical security vulnerability in the widely-used gRPC-Go library has been disclosed, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. This weakness allows attackers to potentially circumvent intended ac...
A critical security flaw in the core routing logic of Google's gRPC-Go library has been patched, exposing servers to potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was found to be overly permissiv...
A critical security vulnerability in the core routing logic of gRPC-Go has been patched, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive,...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
谷歌 gRPC-Go 框架的核心服务器组件中发现一个高危授权绕过漏洞(CVE-2026-33186),源于对 HTTP/2 `:path` 伪头(pseudo-header)的输入验证不当。该漏洞允许攻击者通过构造特定的恶意请求路径,绕过服务端的路由逻辑,可能导致未授权的数据访问或服务调用。漏洞的根本原因在于 gRPC-Go 服务器的路由逻辑过于宽松,接受了不符合规范的 `:path` 头值。 此次安全更新通过自动化的依赖管理工具 Renovate 以拉取请求(PR)形式发布,将 `google.golang.org/grpc` 模块从存在漏洞的 v1.58.3 版本紧急升级至修复后的 v1.79.3 版本。更新跨度巨大,涉及多个...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
A critical vulnerability in the widely-used Netty networking framework exposes HTTP/2 servers to a potent denial-of-service (DoS) attack. Tracked as CVE-2026-33871, the flaw allows a remote attacker to trigger a service outage by flooding a server with specially crafted CONTINUATION frames. The attack exploits a bypass...
A critical vulnerability in a widely-used Java networking library opens systems to potential denial-of-service attacks. The flaw, tracked as CVE-2026-33871, resides in the `io.netty:netty-codec-http2` component, specifically version 4.1.130.Final. It is classified under CWE-770, indicating an "Allocation of Resources W...
A critical vulnerability has been disclosed in a widely used Java networking library, exposing countless applications to potential denial-of-service attacks. The flaw, tracked as CVE-2026-33871, resides in the `io.netty:netty-codec-http2` component, specifically version 4.1.131.Final. It is classified under CWE-770, re...
OpenBao Secrets Operator 的主分支代码库中,一个被标记为“可被利用”的严重安全漏洞已被发现。该漏洞编号为 GO-2024-2687,存在于项目的 net/http 包中,涉及 HTTP/2 协议的一个关键缺陷。攻击者可通过发送大量 CONTINUATION 帧,迫使 HTTP/2 端点读取任意数量的标头数据,从而发起拒绝服务攻击。尽管请求的标头超出 MaxHeaderBytes 限制后不会被存储,但仍会被解析,这为攻击者创造了消耗服务器资源的途径。 具体而言,维护 HPACK 状态需要解析和处理连接上的所有 HEADERS 和 CONTINUATION 帧。当攻击者构造一个包含过量 CONTINUATION...
A critical vulnerability in the Eclipse Jetty project has forced a significant and complex build-system intervention to mitigate a denial-of-service risk. The flaw, CVE-2023-44487, is an HTTP/2 Rapid Reset Attack that allows an attacker to bypass concurrent stream limits and cause a DoS condition through rapid stream c...
A critical security flaw in the core routing logic of gRPC-Go servers has been disclosed, enabling potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive, ...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be excessively lenient, incorrectly accepti...
A critical vulnerability in a widely used Java networking library creates a direct path for denial-of-service attacks. Tracked as CVE-2026-33871, the flaw resides in the `io.netty:netty-codec-http2` component, specifically version 4.1.130.Final. The core weakness is classified as CWE-770: Allocation of Resources Withou...
OpenBao Secrets Operator 项目的主分支代码库中,发现了一个可被利用的 HTTP/2 协议漏洞。安全扫描工具 govulncheck 标记该漏洞为“可触及”,意味着攻击路径在代码中实际存在。漏洞编号为 GO-2024-2687,根源在于 Go 语言标准库 `net/http` 对 HTTP/2 CONTINUATION 帧的处理存在缺陷。攻击者可通过发送大量 CONTINUATION 帧,迫使 HTTP/2 端点读取任意数量的头部数据,从而可能耗尽服务器资源或导致服务中断。 该漏洞影响项目 `openbao/openbao-secrets-operator` 的 `main` 分支,并波及多个核心依赖,包括 ...
Google 旗下核心微服务通信框架 gRPC-Go 曝出严重安全漏洞。编号为 CVE-2026-33186 的缺陷源于对 HTTP/2 协议中 `:path` 伪头(pseudo-header)的输入验证不当,可能允许攻击者绕过服务端的授权检查。这一漏洞被定性为“授权绕过”(Authorization Bypass),直接影响所有使用受影响版本 gRPC-Go 服务器组件的系统。 该漏洞存在于 google.golang.org/grpc 库中,从特定版本开始引入。安全公告明确指出,问题的根源是 gRPC-Go 服务器对 HTTP/2 请求中路径头的解析过于宽松。攻击者可能通过精心构造的恶意请求路径,欺骗服务器处理本应被权限系统...
OpenBao Secrets Operator 的主代码库中,一个可被利用的 HTTP/2 协议漏洞已被安全扫描工具 govulncheck 标记为“可触及”。该漏洞编号为 GO-2024-2687,存在于多个核心依赖中,包括 `golang.org/x/net` 库。攻击者可通过发送过量的 CONTINUATION 帧,迫使 HTTP/2 端点读取任意数量的头部数据,从而可能耗尽服务器资源或导致服务中断。 漏洞直接影响 `openbao/openbao-secrets-operator` 仓库的 `main` 分支。受影响的依赖版本范围广泛,涉及 `github.com/aws/aws-sdk-go`、`github.com/...
A critical vulnerability has been disclosed in a foundational Java networking library, exposing countless applications to potential denial-of-service attacks. The flaw, tracked as CVE-2026-33871, resides in the `io.netty:netty-codec-http2` component, specifically version 4.2.9.Final. It is classified under CWE-770, ind...