Golang.Org X Text vulnerabilities

CVE-2021-38561 [HIGH] CWE-125 golang.org/x/text/language Out-of-bounds Read vulnerability golang.org/x/text/language Out-of-bounds Read vulnerability golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

CVE-2022-32149 [HIGH] CWE-772 golang.org/x/text/language Denial of service via crafted Accept-Language header golang.org/x/text/language Denial of service via crafted Accept-Language header The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this b

CVE-2020-14040 [MEDIUM] CWE-400 golang.org/x/text Infinite loop golang.org/x/text Infinite loop Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to gol