Vulnerability Report: GO-2020-0015
- CVE-2020-14040, GHSA-5rcv-m4m3-hfh7
- Affects: golang.org/x/text
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.
Affected Packages
-
PathVersionsSymbols
-
before v0.3.3all symbols
-
before v0.3.3
Aliases
References
- https://go.dev/cl/238238
- https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
- https://go.dev/issue/39491
- https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0
- https://vuln.go.dev/ID/GO-2020-0015.json
Credits
- @abacabadabacabaAnton Gyllenberg
Feedback
See anything missing or incorrect?
Suggest an edit to this report.