Tyk could be exposed to HTTP/2 Continuation frame CVE

Uri_Parush · April 17, 2024, 7:49am

Do you want to request a feature or report a bug?
Security concern (bug?).

What is the current behavior?
Tyk could be exposed to HTTP/2 Continuation frame implementation bug in golang

What is the expected behavior?
Either validate Tyk is not affected and inform users of that or upgrade packages / go version us suggested by Google in their advisory.

Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk?
Possible affects most of the latest releases, if not all of them.

Olu · April 17, 2024, 9:24am

@Uri_Parush Thanks for bringing this to our attention.

I have informed the team internally and they will investigate further.

I will come back when I have an update.

Uri_Parush · April 28, 2024, 6:49am

Hi,
Any update on this issue?
This security issue is urgent if the API GW is at risk

Thanks