GO-2020-0015

See a problem?

Source

https://pkg.go.dev/vuln/GO-2020-0015

Import Source

https://vuln.go.dev/ID/GO-2020-0015.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2020-0015

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-09-11T06:13:28.596764Z

Summary

Infinite loop when decoding some inputs in golang.org/x/text

Details

An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.

References

Credits

- @abacabadabacaba
- Anton Gyllenberg

Affected packages

Go / golang.org/x/text

Package

Name: golang.org/x/text; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/text

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.3

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/text/encoding/unicode",
            "symbols": [
                "bomOverride.Transform",
                "utf16Decoder.Transform"
            ]
        },
        {
            "path": "golang.org/x/text/transform",
            "symbols": [
                "String"
            ]
        }
    ]
}