🚨 HTTP/2 CONTINUATION Flood: Security Advisory




  • Vulnerabilities connected to net/textproto.Reader misuse in Golang. Affected projects include Golang (CVE-2023-45290), Caddy and many others.
  • HTTP Chunk Extension Processing Vulnerabilities A family of vulnerabilities I discovered in major projects including Golang (CVE-2023-39326), Node.js (CVE-2024-22019), Rust: Hyper and Rails: Puma (CVE-2024-21647). Invalid processing of HTTP chunk extensions created an amplification vector for server reads which allowed DoS attacks caused by network bandwidth or CPU exhaustion.
  • CVE-2023-29406 The HTTP/1 client in Golang does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.


  • As a part of my work for Stellar.org Security Team I discovered a vulnerability in Trezor hardware wallet firmware affecting its Stellar client. Because of an insufficient field size check in Protobuf, an attacker could trick the user into signing a Stellar transaction moving their assets while thinking they are signing a ManageData transaction. Slides from internal presenation are available here.


  • XSS in Yahoo! Mail allowing to send/read email messages via clicking on a crafted link.


  • No authorization check in some GraphQL queries allowed accessing a list of applications installed by any Facebook user.