CVE-2022-41725Allocation of Resources Without Limits or Throttling in Standard Library Mime Multipart

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption13 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 79.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GO Standard Library Mime MultipartGolang GO
Timeline
PublishedFeb 28
Latest updateNov 14

Description

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory".

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5go_standard_library/mime_multipart1.20.0-01.20.1+1
NVDgolang/go< 1.19.6+1

Patches

Patch: go.devPatch: go.devPatch: go.dev

🔴Vulnerability Details

6
OSV
golang-1.18 vulnerabilities2024-11-14
OSV
golang-1.17 vulnerabilities2024-11-14
OSV
CVE-2022-41725: A denial of service is possible from excessive resource consumption in net/http and mime/multipart2023-02-28
GHSA
GHSA-w4h2-22wh-m6jx: A denial of service is possible from excessive resource consumption in net/http and mime/multipart2023-02-28
CVEList
Excessive resource consumption in mime/multipart2023-02-28

📋Vendor Advisories

6
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2023-06-06
Red Hat
golang: net/http, mime/multipart: denial of service from excessive resource consumption2023-02-15
Microsoft
Excessive resource consumption in mime/multipart2023-02-14
CVE-2022-41725 — HIGH severity | cvebase