Vulnerability Report: GO-2022-0427

CVE-2022-24863, CVE-2024-25712, and 2 more
Affects: github.com/swaggo/http-swagger
Published: Feb 29, 2024
Modified: Apr 26, 2024

The httpSwagger package's HTTP handler provides WebDAV read/write access to an in-memory filesystem. An attacker can exploit this to cause memory exhaustion by uploading many files, XSS attacks by uploading malicious files, or other unexpected behaviors.

Affected Packages

Path

Versions

Symbols
github.com/swaggo/http-swagger

before v1.2.6

all symbols

Aliases

CVE-2022-24863
CVE-2024-25712
GHSA-49w7-5r33-jm9m
GHSA-xg75-q3q5-cqmv

References

https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
https://github.com/swaggo/http-swagger/pull/62
https://github.com/swaggo/http-swagger/issues/61
https://vuln.go.dev/ID/GO-2022-0427.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL