Vulnerability Report: GO-2021-0142

standard library

CVE-2020-16845, GHSA-q6gq-997w-f55g
Affects: encoding/binary
Published: Jul 01, 2022
Modified: May 20, 2024

ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs. Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

Affected Packages

Path

Go Versions

Symbols
encoding/binary

before go1.13.15, from go1.14.0-0 before go1.14.7
- ReadUvarint
- ReadVarint

Aliases

CVE-2020-16845
GHSA-q6gq-997w-f55g

References

https://go.dev/cl/247120
https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258
https://go.dev/issue/40618
https://groups.google.com/g/golang-announce/c/NyPIaucMgXo
https://vuln.go.dev/ID/GO-2021-0142.json

Credits

Diederik Loerakker, Jonny Rhea, Raúl Kripalani, Preston Van Loon

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL