Vulnerability Report: GO-2020-0015

CVE-2020-14040, GHSA-5rcv-m4m3-hfh7
Affects: golang.org/x/text
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.

Affected Packages

Path

Go Versions

Symbols
golang.org/x/text/encoding/unicode

before v0.3.3
2 unexported affected symbols
- bomOverride.Transform
- utf16Decoder.Transform
golang.org/x/text/transform

before v0.3.3
- String

Aliases

CVE-2020-14040
GHSA-5rcv-m4m3-hfh7

References

https://go.dev/cl/238238
https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
https://go.dev/issue/39491
https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0
https://vuln.go.dev/ID/GO-2020-0015.json

Credits

@abacabadabacaba, Anton Gyllenberg

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL