GO-2021-0082

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2021-0082

Import Source

https://vuln.go.dev/ID/GO-2021-0082.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2021-0082

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-09-11T06:12:37.728644Z

Summary

Denial of service via malicious message size declaration in github.com/facebook/fbthrift

Details

Thrift Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2021-0082"
}

References

Affected packages

Go / github.com/facebook/fbthrift

Package

Name: github.com/facebook/fbthrift; View open source insights on deps.dev
Purl: pkg:golang/github.com/facebook/fbthrift

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.31.1-0.20200311080807-483ed864d69f

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/facebook/fbthrift/thrift/lib/go/thrift"
        }
    ]
}