CVE-2024-45338 — Regex Denial of Service in X NET Golang.org X NET Html

CWE-1333 — Regex Denial of Service CWE-770 — Allocation of Resources Without Limits or Throttling9 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 90.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X NET Golang.org X NET Html Golang.org X NET Html

Timeline

PublishedDec 18

Latest updateJan 9

Description

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶Gogolang.org/x_net_html< 0.33.0

▶CVEListV5golang.org/x_net_golang.org_x_net_html< 0.33.0

🔴Vulnerability Details

GHSA

Non-linear parsing of case-insensitive content in golang.org/x/net/html↗2024-12-18

▶

OSV

Non-linear parsing of case-insensitive content in golang.org/x/net/html↗2024-12-18

▶

CVEList

Non-linear parsing of case-insensitive content in golang.org/x/net/html↗2024-12-18

▶

OSV

CVE-2024-45338: An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow par↗2024-12-18

▶

📋Vendor Advisories

Ubuntu

Go Networking vulnerability↗2025-01-09

▶

Red Hat

golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html↗2024-12-18

▶

Microsoft

Non-linear parsing of case-insensitive content in golang.org/x/net/html↗2024-12-10

▶

Debian

CVE-2024-45338: golang-golang-x-net - An attacker can craft an input to the Parse functions that would be processed no...↗2024

▶