GO-2021-0347

Source
https://pkg.go.dev/vuln/GO-2021-0347
Import Source
https://vuln.go.dev/ID/GO-2021-0347.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2021-0347
Aliases
Published
2022-05-23T22:15:47Z
Modified
2024-05-20T16:03:47Z
Summary
Stack exhaustion when compiling deeply nested expressions in regexp
Details

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2021-0347"
}
References
Credits
    • Juho Nurminen

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16.15
Introduced
1.17.0-0
Fixed
1.17.8

Ecosystem specific

{
    "imports": [
        {
            "path": "regexp",
            "symbols": [
                "regexp.Compile"
            ]
        }
    ]
}