Vulnerability Report: GO-2024-3106
standard library- CVE-2024-34156
- Affects: encoding/gob
- Published: Sep 06, 2024
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.22.7, from go1.23.0-0 before go1.23.1
Aliases
References
- https://go.dev/cl/611239
- https://go.dev/issue/69139
- https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
- https://vuln.go.dev/ID/GO-2024-3106.json
Credits
- Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.