GO-2020-0015

Source
https://pkg.go.dev/vuln/GO-2020-0015
Import Source
https://vuln.go.dev/ID/GO-2020-0015.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2020-0015
Aliases
Published
2021-04-14T20:04:52Z
Modified
2024-05-20T16:03:47Z
Summary
Infinite loop when decoding some inputs in golang.org/x/text
Details

An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2020-0015"
}
References
Credits
    • @abacabadabacaba
    • Anton Gyllenberg

Affected packages

Go / golang.org/x/text

Package

Name
golang.org/x/text
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/text

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.3

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/text/encoding/unicode",
            "symbols": [
                "bomOverride.Transform",
                "utf16Decoder.Transform"
            ]
        },
        {
            "path": "golang.org/x/text/transform",
            "symbols": [
                "String"
            ]
        }
    ]
}