Allocation of Resources Without Limits or Throttling Affecting github.com/traefik/traefik/v3/pkg/config/static package, versions >=3.0.0-rc1 <3.0.0-rc5


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGCONFIGSTATIC-6615849
  • published16 Apr 2024
  • disclosed10 Jan 2024
  • creditBartek Nowotarski

Introduced: 10 Jan 2024

CVE-2023-45288  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade github.com/traefik/traefik/v3/pkg/config/static to version 3.0.0-rc5 or higher.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when reading header data from CONTINUATION frames. As part of the HPACK flow, all incoming HEADERS and CONTINUATION frames are read even if their payloads exceed MaxHeaderBytes and will be discarded. An attacker can send excessive data over a connection to render it unresponsive.

CVSS Scores

version 4.0
version 3.1