HTTP/2 Stream Cancellation Attack
Discription
google.golang.org/grpc is vulnerable to HTTP/2 Stream Cancellation Attack. The vulnerability exists because the library does not enforce the limit of concurrently running handlers set by MaxConcurrentStreams. This enables an attacker to send malicious HTTP/2 requests, cancel them, and then send subsequent requests. While this behavior is compliant with the HTTP/2 protocol, it results in the gRPC-Go server launching more concurrent method handlers than the intended maximum stream limit.Consequently, this can lead to an application…Read More
References
Back to Main