An attacker can construct a series of bytes such that calling Reader.Read on the bytes could cause an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2020-0016" }