Login Sign Up

CVE-2022-24863

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-24863 is a denial-of-service vulnerability in http-swagger where improper HTTP method handling allows attackers to exhaust system memory. This affects all users running http-swagger versions before 1.2.6. Attackers can crash affected systems by sending specially crafted requests.

💻 Affected Systems

Products:
  • http-swagger (swaggo/http-swagger)
Versions: All versions prior to 1.2.6
Operating Systems: All platforms running Go applications
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any deployment using vulnerable http-swagger middleware for API documentation

📦 What is this software?

Http Swagger by Http Swagger Project

View all CVEs affecting Http Swagger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to memory exhaustion, potentially affecting all services on the host

🟠

Likely Case

Service disruption and degraded performance of the http-swagger endpoint and potentially other services on the same host

🟢

If Mitigated

Minimal impact with proper HTTP method restrictions and resource monitoring

🌐 Internet-Facing: HIGH - Publicly accessible endpoints can be easily targeted by unauthenticated attackers
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but attack surface is reduced

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation can trigger the vulnerability without authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.6

Vendor Advisory: https://github.com/swaggo/http-swagger/security/advisories/GHSA-xg75-q3q5-cqmv

Restart Required: Yes

Instructions:

1. Update go.mod to require github.com/swaggo/http-swagger v1.2.6 or later
2. Run 'go get -u github.com/swaggo/http-swagger'
3. Rebuild and redeploy your application
4. Restart the service

🔧 Temporary Workarounds

Restrict HTTP methods to GET only

all

Configure web server or application to only allow GET requests to the swagger endpoint

# Example for nginx:
location /swagger/ {
    limit_except GET {
        deny all;
    }
}
# Example application middleware:
router.Handle("/swagger/*", httpSwagger.Handler()).Methods("GET")

🧯 If You Can't Patch

  • Implement rate limiting on the swagger endpoint
  • Deploy WAF rules to block suspicious HTTP method patterns

🔍 How to Verify

Check if Vulnerable:

Check go.mod or vendor dependencies for http-swagger version <1.2.6

Check Version:

grep 'http-swagger' go.mod | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Confirm http-swagger version is 1.2.6 or higher in go.mod and verify application functions correctly

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory consumption spikes
  • Multiple HTTP requests with non-GET methods to /swagger/* endpoints
  • Process crashes or restarts

Network Indicators:

  • High volume of HTTP requests to swagger endpoints with PUT, POST, DELETE methods
  • Abnormal request patterns from single IPs

SIEM Query:

source="web_logs" AND uri="/swagger/*" AND method!="GET" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2022-24863
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: April 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24863, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)