CVE-2023-24536 — Allocation of Resources Without Limits or Throttling in Standard Library Mime Multipart

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption10 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 81.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Mime Multipart GO Standard Library NET Textproto Golang GO

Timeline

PublishedApr 6

Latest updateNov 14

Description

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5go_standard_library/mime_multipart1.20.0-0 — 1.20.3+1

▶NVDgolang/go1.20.0 — 1.20.3+1

▶CVEListV5go_standard_library/net_textproto1.20.0-0 — 1.20.3+1

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

OSV

CVE-2023-24536: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts↗2023-04-06

▶

GHSA

GHSA-9f7g-gqwh-jpf5: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts↗2023-04-06

▶

CVEList

Excessive resource consumption in net/http, net/textproto and mime/multipart↗2023-04-06

▶

OSV

Excessive resource consumption in net/http, net/textproto and mime/multipart↗2023-04-05

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Microsoft

Excessive resource consumption in net/http, net/textproto and mime/multipart↗2023-04-11

▶

Red Hat

golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption↗2023-04-04

▶

Debian

CVE-2023-24536: golang-1.15 - Multipart form parsing can consume large amounts of CPU and memory when processi...↗2023

▶