GO-2022-1039

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-1039

Import Source

https://vuln.go.dev/ID/GO-2022-1039.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-1039

Aliases

Published

2022-10-06T16:42:07Z

Modified

2024-05-20T16:03:47Z

Summary

Memory exhaustion when compiling regular expressions in regexp/syntax

Details

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service.

The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

References

Credits

- Adam Korczynski (ADA Logics)
- OSS-Fuzz

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.18.7

Introduced

1.19.0-0

Fixed

1.19.2

Ecosystem specific

{
    "imports": [
        {
            "path": "regexp/syntax",
            "symbols": [
                "Parse",
                "parse",
                "parser.factor",
                "parser.push",
                "parser.repeat"
            ]
        }
    ]
}