Vulnerability Report: GO-2024-2824
standard library- CVE-2024-24788
- Affects: net
- Published: May 07, 2024
- Modified: May 20, 2024
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
Affected Packages
-
PathGo VersionsSymbols
-
from go1.22.0-0 before go1.22.3
29 affected symbols
- Dial
- DialTimeout
- Dialer.Dial
- Dialer.DialContext
- Listen
- ListenConfig.Listen
- ListenConfig.ListenPacket
- ListenPacket
- LookupAddr
- LookupCNAME
- LookupHost
- LookupIP
- LookupMX
- LookupNS
- LookupSRV
- LookupTXT
- ResolveIPAddr
- ResolveTCPAddr
- ResolveUDPAddr
- Resolver.LookupAddr
- Resolver.LookupCNAME
- Resolver.LookupHost
- Resolver.LookupIP
- Resolver.LookupIPAddr
- Resolver.LookupMX
- Resolver.LookupNS
- Resolver.LookupNetIP
- Resolver.LookupSRV
- Resolver.LookupTXT
Aliases
References
- https://go.dev/issue/66754
- https://go.dev/cl/578375
- https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
- https://vuln.go.dev/ID/GO-2024-2824.json
Credits
- @long-name-let-people-remember-you, Mateusz Poliwczak
Feedback
See anything missing or incorrect?
Suggest an edit to this report.