GHSA-69ch-w2m2-3vjp

Suggest an improvement
Source
https://github.com/advisories/GHSA-69ch-w2m2-3vjp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-69ch-w2m2-3vjp/GHSA-69ch-w2m2-3vjp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-69ch-w2m2-3vjp
Aliases
Related
Published
2022-10-14T19:00:40Z
Modified
2024-09-11T06:13:24.921303Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
golang.org/x/text/language Denial of service via crafted Accept-Language header
Details

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

Specific Go Packages Affected

golang.org/x/text/language

References

Affected packages

Go / golang.org/x/text

Package

Name
golang.org/x/text
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/text

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.8