Vulnerability Report: GO-2024-2599

CVE-2023-45290
Affects: net/textproto
Published: Mar 05, 2024
Modified: May 20, 2024

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

Affected Packages

Path

Versions

Symbols
net/textproto

before go1.21.8, from go1.22.0-0 before go1.22.1
8 affected symbols

Aliases

CVE-2023-45290

References

https://go.dev/issue/65383
https://go.dev/cl/569341
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
https://vuln.go.dev/ID/GO-2024-2599.json

Credits

Bartek Nowotarski

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL