CVE-2021-31525Uncontrolled Recursion in X NET

CWE-674Uncontrolled RecursionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-477Use of Obsolete Function12 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 94.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Golang.org X NETGolang GOFedoraproject Fedora+1 more
Timeline
PublishedMay 27
Latest updateNov 1

Description

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

NVDgolang/go1.16.01.16.4+1
Gogolang.org/x_net< 0.0.0-20210428140749-89ef3d95e781
Palo Altopaloalto/pan-os

Also affects: Fedora 34

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Panic due to large headers in net/http and golang.org/x/net/http/httpguts2022-07-15
GHSA
golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion2022-05-24
OSV
golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion2022-05-24
CVEList
CVE-2021-31525: net/http in Go before 12021-05-27
OSV
CVE-2021-31525: net/http in Go before 12021-05-27

📋Vendor Advisories

6
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-11-01
Red Hat
serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-331962021-09-13
Red Hat
serverless: incomplete fix of CVE-2021-315252021-08-18
Microsoft
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server Transport and Client can e2021-05-11
Red Hat
golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header2021-04-22
CVE-2021-31525 — Uncontrolled Recursion in X NET | cvebase