Vulnerability Report: GO-2023-2328
- CVE-2023-45286, GHSA-xwh9-gc39-5298
- Affects: github.com/go-resty/resty/v2
- Published: Nov 27, 2023
- Modified: May 20, 2024
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
Affected Packages
-
PathGo VersionsSymbols
-
from v2.10.0 before v2.11.0
Aliases
References
- https://github.com/go-resty/resty/issues/743
- https://github.com/go-resty/resty/issues/739
- https://github.com/go-resty/resty/pull/745
- https://github.com/go-resty/resty/commit/577fed8730d79f583eb48dfc81674164e1fc471e
- https://vuln.go.dev/ID/GO-2023-2328.json
Credits
- Logan Attwood (@lattwood)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.