CVE-2022-32149
published 2022-10-14CVE-2022-32149: An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
PriorityP433high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.43%
69.7th percentile
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-golang-x-text | < golang-golang-x-text 0.3.8-1 (bookworm) | golang-golang-x-text 0.3.8-1 (bookworm) |
| golang.org | x_text | >= 0 < 0.3.8 | 0.3.8 |
| golang.org | x_text_golang.org_x_text_language | < 0.3.8 | 0.3.8 |
| golang | text | < 0.3.8 | 0.3.8 |
| msrc | azl3_cni_1.1.2-3 | — | — |
| msrc | azl3_cni_1.1.2-4 | — | — |
| msrc | azl3_containernetworking-plugins_1.6.1-4 | — | — |
| msrc | azl3_keda_2.14.0-1 | — | — |
| msrc | azl3_keda_2.4.0-15 | — | — |
| msrc | azl3_kubevirt_0.59.0-14 | — | — |
| msrc | azl3_kubevirt_1.2.0-1 | — | — |
| msrc | azl3_multus_3.8-13 | — | — |
| msrc | azl3_multus_4.0.2-1 | — | — |
| msrc | azl3_node-problem-detector_0.8.10-18 | — | — |
| msrc | azl3_node-problem-detector_0.8.15-1 | — | — |
| msrc | azl3_sriov-network-device-plugin_3.5.1-3 | — | — |
| msrc | azl3_sriov-network-device-plugin_3.7.0-1 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_application-gateway-kubernetes-ingress_1.4.0-25 | — | — |
| msrc | cbl2_cf-cli_8.4.0-24 | — | — |
| msrc | cbl2_cni_1.0.1-18 | — | — |
| msrc | cbl2_cni_1.0.1-19 | — | — |
| msrc | cbl2_containerized-data-importer_1.55.0-23 | — | — |
| msrc | cbl2_cri-o_1.22.3-14 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
golang-golang-x-text, golang-x-text vulnerabilities
osv·2023-02-16·CVSS 7.5
CVE-2020-14040 [HIGH] golang-golang-x-text, golang-x-text vulnerabilities
golang-golang-x-text, golang-x-text vulnerabilities
It was discovered that Go Text incorrectly handled certain encodings. An
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14040)
It was discovered that Go Text incorrectly handled certain BCP 47 language
tags. An attacker could possibly use this issue to cause a denial of service.
CVE-2020-28851, CVE-2020-28852 and CVE-2021-38561 affected only
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-28851, CVE-2020-28852, CVE-2021-38561, CVE-2022-32149)
GHSA
golang.org/x/text/language Denial of service via crafted Accept-Language header
ghsa·2022-10-14
CVE-2022-32149 [HIGH] CWE-772 golang.org/x/text/language Denial of service via crafted Accept-Language header
golang.org/x/text/language Denial of service via crafted Accept-Language header
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.
### Specific Go Packages Affected
golang.org/x/text/languag
OSV
golang.org/x/text/language Denial of service via crafted Accept-Language header
osv·2022-10-14
CVE-2022-32149 [HIGH] golang.org/x/text/language Denial of service via crafted Accept-Language header
golang.org/x/text/language Denial of service via crafted Accept-Language header
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.
### Specific Go Packages Affected
golang.org/x/text/languag
OSV
CVE-2022-32149: An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse
osv·2022-10-14·CVSS 7.5
CVE-2022-32149 [HIGH] CVE-2022-32149: An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
OSV
Denial of service via crafted Accept-Language header in golang.org/x/text/language
osv·2022-10-11
CVE-2022-32149 Denial of service via crafted Accept-Language header in golang.org/x/text/language
Denial of service via crafted Accept-Language header in golang.org/x/text/language
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Palo Alto
PAN-SA-2026-0005 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2026-04-08·CVSS 7.5
CVE-2022-32149 [HIGH] PAN-SA-2026-0005 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2026-0005 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2022-32149 This CVE is fixed in Openconfig plugin PAN-OS 11.0.6, 11.1.8, 11.2.3-h2, 11.2.4 and all later versions of Openconfig plugin PAN-OS CVE-2024-33599 This CVE is fixed in PAN-OS versions 10.1.15, 10.2.15, 11.1.11, 11.2.7, and all later versions. CVE-2024-33600 This CVE is fixed in PAN-OS versions 10.1.15, 10.2.15, 11.1.11, 11.2.7, and all later versions. CVE-2024-33601 This CVE is fixed in PAN-OS versions 10.1.15, 10.2.15, 11.1.1
Ubuntu
Go Text vulnerabilities
vendor_ubuntu·2023-02-16·CVSS 7.5
CVE-2020-14040 [HIGH] Go Text vulnerabilities
Title: Go Text vulnerabilities
Summary: Several security issues were fixed in Go Text.
It was discovered that Go Text incorrectly handled certain encodings. An
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14040)
It was discovered that Go Text incorrectly handled certain BCP 47 language
tags. An attacker could possibly use this issue to cause a denial of service.
CVE-2020-28851, CVE-2020-28852 and CVE-2021-38561 affected only
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-28851, CVE-2020-28852, CVE-2021-38561, CVE-2022-32149)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
vendor_redhat·2022-10-11·CVSS 7.5
CVE-2022-32149 [HIGH] CWE-407 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
Statement: After careful analysis of the vulnerability Redhat is choosing to keep the vulnerability severity as moderate,the vulnerability exists in the ParseAcceptLanguage function of the golang text/language package,when an attacker could craft an unusually large accept header and due to the parser taking
Microsoft
Denial of service via crafted Accept-Language header in golang.org/x/text/language
vendor_msrc·2022-10-11·CVSS 7.5
CVE-2022-32149 [HIGH] CWE-772 Denial of service via crafted Accept-Language header in golang.org/x/text/language
Denial of service via crafted Accept-Language header in golang.org/x/text/language
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Ref
Debian
CVE-2022-32149: golang-golang-x-text - An attacker may cause a denial of service by crafting an Accept-Language header ...
vendor_debian·2022·CVSS 7.5
CVE-2022-32149 [HIGH] CVE-2022-32149: golang-golang-x-text - An attacker may cause a denial of service by crafting an Accept-Language header ...
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Scope: local
bookworm: resolved (fixed in 0.3.8-1)
bullseye: open
forky: resolved (fixed in 0.3.8-1)
sid: resolved (fixed in 0.3.8-1)
trixie: resolved (fixed in 0.3.8-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://go.dev/cl/442235https://go.dev/issue/56152https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJhttps://pkg.go.dev/vuln/GO-2022-1059https://go.dev/cl/442235https://go.dev/issue/56152https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJhttps://pkg.go.dev/vuln/GO-2022-1059https://security.netapp.com/advisory/ntap-20230203-0006/
2022-10-14
Published