Vulnerability Report: GO-2024-3106

CVE-2024-34156
Affects: encoding/gob
Published: Sep 06, 2024

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected Packages

Path

Versions

Symbols
encoding/gob

before go1.22.7, from go1.23.0-0 before go1.23.1
- Decoder.Decode
- Decoder.DecodeValue

Aliases

CVE-2024-34156

References

https://go.dev/cl/611239
https://go.dev/issue/69139
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://vuln.go.dev/ID/GO-2024-3106.json

Credits

Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL