GHSA-m7vp-hqwv-7m5x
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
Blast Radius
github.com/spiffe/spire🐹github.com/spiffe/spireReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/http package. HTTP/2 endpoints consuming the net/http package within SPIRE server and agent (or other components in this repository) that are on by default include the following:
- OIDC Discovery Provider
- K8s Workload Registrar in webhook mode
The following endpoints are vulnerable when enabled:
- SPIRE server bundle endpoint (i.e. Federation API)
The following endpoints are NOT vulnerable, since HTTP/2 support in go is not enabled on non-TLS protected endpoints:
- SPIRE server/agent metrics endpoint when configured for Prometheus
- SPIRE server/agent health endpoints
- SPIRE server/agent profiling endpoints
Patches
SPIRE 1.0.3 and 1.1.3 have been released with an upgraded Go toolchain which patches the vulnerability
Workarounds
The vulnerability can be worked around entirely by including the http2server=0 value in the GODEBUG environment variable (see https://github.com/golang/go/issues/50058). This turns off HTTP/2 support on all non-gRPC endpoints. They will still function with HTTP/1.1.
The risk associated with this vulnerability can be somewhat mitigated by limiting the exposure of the endpoints in question. If necessary, vulnerable components or endpoints that are optionally configured can be disabled temporarily.
References
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/spiffe/spire | all versions | 1.0.3 |
| 🐹Go | github.com/spiffe/spire | ≥ 1.1.0&&< 1.1.3 | 1.1.3 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/spiffe/spire. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/spiffe/spire to 1.0.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-m7vp-hqwv-7m5x is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-m7vp-hqwv-7m5x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-m7vp-hqwv-7m5x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-m7vp-hqwv-7m5x in your dependencies?
O3 detects GHSA-m7vp-hqwv-7m5x across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.