CVE-2023-45290Allocation of Resources Without Limits or Throttling in Standard Library NET Textproto

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-20Improper Input Validation11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.5%
top 34.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library NET Textproto
Timeline
PublishedMar 5
Latest updateNov 14

Description

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now co

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

CVEListV5go_standard_library/net_textproto1.22.0-01.22.1+1

🔴Vulnerability Details

4
GHSA
GHSA-rr6r-cfgf-gc6h: When parsing a multipart form (either explicitly with Request2024-03-06
CVEList
Memory exhaustion in multipart form parsing in net/textproto and net/http2024-03-05
OSV
CVE-2023-45290: When parsing a multipart form (either explicitly with Request2024-03-05
OSV
Memory exhaustion in multipart form parsing in net/textproto and net/http2024-03-05

📋Vendor Advisories

6
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-07-09
Microsoft
Memory exhaustion in multipart form parsing in net/textproto and net/http2024-03-12
Red Hat
golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm2024-03-05
CVE-2023-45290 — MEDIUM severity | cvebase