Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts.
This stems from several causes:
The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.
With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations.
In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms:
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2023-1705" }
{ "imports": [ { "path": "mime/multipart", "symbols": [ "Part.populateHeaders", "Reader.NextPart", "Reader.NextRawPart", "Reader.ReadForm", "Reader.nextPart", "Reader.readForm", "mimeHeaderSize", "newPart", "readMIMEHeader" ] }, { "path": "net/textproto", "symbols": [ "Reader.ReadMIMEHeader", "readMIMEHeader" ] } ] }