GHSA-846p-jg2w-w324

Suggest an improvement
Source
https://github.com/advisories/GHSA-846p-jg2w-w324
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-846p-jg2w-w324/GHSA-846p-jg2w-w324.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-846p-jg2w-w324
Aliases
Downstream
Published
2026-01-21T16:19:28Z
Modified
2026-01-22T15:52:25.316481Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
go-tuf affected by client DoS via malformed server response
Details

Security Disclosure: Client DoS via malformed server response

Summary

If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.

Impact

Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.

Workarounds

None currently.

Affected code

The metadata.checkType function did not properly type assert the (untrusted) input causing it to panic on malformed data.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-617",
        "CWE-754"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-01-21T16:19:28Z",
    "nvd_published_at": "2026-01-22T03:15:47Z"
}
References

Affected packages

Go / github.com/theupdateframework/go-tuf/v2

Package

Name
github.com/theupdateframework/go-tuf/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/theupdateframework/go-tuf/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-846p-jg2w-w324/GHSA-846p-jg2w-w324.json"