The Shift Around Security: GO-2024-2687

HTTP/2 CONTINUATION frames are a stealthy attack vector many overlook - especially in modern API controllers like Openbao’s secrets layer. When an endpoint parses headers, too many continuation frames bypass safe memory limits, forcing the server to decode massive, Huffman-encoded payloads without proper bounds. This exposes systems to hidden data leaks, even during rejected requests.nnThe vulnerability, GO-2024-2687, surfaces when the system fails to cap excess header processing. As shown in openbao/openbao-secrets-operator/main:

• controllers/vaultauth_controller.go:114 detects the request and begins parsing.
• internal/vault/client.go:463 initiates a login handshake with unbounded frame read.
• internal/vault/client.go:515 triggers data write via Write, where decoding unfettered.
• Even main.go:125 runs the initial connection handshake, creating the kill path.nnPsychologically, this flaw thrives on the false belief that HTTP/2 headers are self-limiting. But in reality, attackers exploit the protocol’s expectation of stateful stream parsing - using overflow to extract encrypted client data, often from OAuth tokens or secrets. It’s not flashy, but it’s a chink in authentication architecture.nnContrary to popular assumption, this isn’t about brute force - it’s about state exhaustion. No credentials are stolen directly, yet the exposure risks cascading breaches. The fix, v0.23.0, limits processed continuation frames before connection closure.nnHere is the deal: even minor oversights in protocol parsing can unravel secure layers. Do you trust your API’s edge to handle unexpected traffic gracefully?nnThe bottom line: HTTP/2’s elegance masks a subtle danger. Stay sharp - bucket brigades like this highlight how critical input limits are in securing modern services.