data/reports/GO-2023-1705.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.19.8
       - introduced: 1.20.0-0
         fixed: 1.20.3
     vulnerable_at: 1.20.2
     packages:
       - package: mime/multipart
         symbols:
           - Reader.readForm
           - mimeHeaderSize
           - newPart
           - Part.populateHeaders
           - Reader.NextPart
           - Reader.NextRawPart
           - Reader.nextPart
           - readMIMEHeader
         derived_symbols:
           - Reader.ReadForm
       - package: net/textproto
         symbols:
           - readMIMEHeader
         derived_symbols:
           - Reader.ReadMIMEHeader
 summary: |
     Excessive resource consumption in net/http, net/textproto and mime/multipart
 description: |
     Multipart form parsing can consume large amounts of CPU and memory when
     processing form inputs containing very large numbers of parts.

     This stems from several causes:

     1. mime/multipart.Reader.ReadForm limits the total memory a parsed
     multipart form can consume. ReadForm can undercount the amount of memory
     consumed, leading it to accept larger inputs than intended.

     2. Limiting total memory does not account for increased pressure on the
     garbage collector from large numbers of small allocations in forms with
     many parts.

     3. ReadForm can allocate a large number of short-lived buffers, further
     increasing pressure on the garbage collector.

     The combination of these factors can permit an attacker to cause an program
     that parses multipart forms to consume large amounts of CPU and memory,
     potentially resulting in a denial of service. This affects programs that
     use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http
     package with the Request methods FormFile, FormValue, ParseMultipartForm,
     and PostFormValue.

     With fix, ReadForm now does a better job of estimating the memory
     consumption of parsed forms, and performs many fewer short-lived
     allocations.

     In addition, the fixed mime/multipart.Reader imposes the following limits
     on the size of parsed forms:

     1. Forms parsed with ReadForm may contain no more than 1000 parts. This
     limit may be adjusted with the environment variable
     GODEBUG=multipartmaxparts=.

     2. Form parts parsed with NextPart and NextRawPart may contain no more than
     10,000 header fields. In addition, forms parsed with ReadForm may contain
     no more than 10,000 header fields across all parts. This limit may be
     adjusted with the environment variable GODEBUG=multipartmaxheaders=.
 credits:
   - Jakob Ackermann (@das7pad)
 references:
   - report: https://go.dev/issue/59153
   - fix: https://go.dev/cl/482076
   - fix: https://go.dev/cl/482075
   - fix: https://go.dev/cl/482077
   - web: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
 cve_metadata:
     id: CVE-2023-24536
     cwe: 'CWE-400: Uncontrolled Resource Consumption'
	modules:
	- module: std
	versions:
	- fixed: 1.19.8
	- introduced: 1.20.0-0
	fixed: 1.20.3
	vulnerable_at: 1.20.2
	packages:
	- package: mime/multipart
	symbols:
	- Reader.readForm
	- mimeHeaderSize
	- newPart
	- Part.populateHeaders
	- Reader.NextPart
	- Reader.NextRawPart
	- Reader.nextPart
	- readMIMEHeader
	derived_symbols:
	- Reader.ReadForm
	- package: net/textproto
	symbols:
	- readMIMEHeader
	derived_symbols:
	- Reader.ReadMIMEHeader
	summary: \|
	Excessive resource consumption in net/http, net/textproto and mime/multipart
	description: \|
	Multipart form parsing can consume large amounts of CPU and memory when
	processing form inputs containing very large numbers of parts.

	This stems from several causes:

	1. mime/multipart.Reader.ReadForm limits the total memory a parsed
	multipart form can consume. ReadForm can undercount the amount of memory
	consumed, leading it to accept larger inputs than intended.

	2. Limiting total memory does not account for increased pressure on the
	garbage collector from large numbers of small allocations in forms with
	many parts.

	3. ReadForm can allocate a large number of short-lived buffers, further
	increasing pressure on the garbage collector.

	The combination of these factors can permit an attacker to cause an program
	that parses multipart forms to consume large amounts of CPU and memory,
	potentially resulting in a denial of service. This affects programs that
	use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http
	package with the Request methods FormFile, FormValue, ParseMultipartForm,
	and PostFormValue.

	With fix, ReadForm now does a better job of estimating the memory
	consumption of parsed forms, and performs many fewer short-lived
	allocations.

	In addition, the fixed mime/multipart.Reader imposes the following limits
	on the size of parsed forms:

	1. Forms parsed with ReadForm may contain no more than 1000 parts. This
	limit may be adjusted with the environment variable
	GODEBUG=multipartmaxparts=.

	2. Form parts parsed with NextPart and NextRawPart may contain no more than
	10,000 header fields. In addition, forms parsed with ReadForm may contain
	no more than 10,000 header fields across all parts. This limit may be
	adjusted with the environment variable GODEBUG=multipartmaxheaders=.
	credits:
	- Jakob Ackermann (@das7pad)
	references:
	- report: https://go.dev/issue/59153
	- fix: https://go.dev/cl/482076
	- fix: https://go.dev/cl/482075
	- fix: https://go.dev/cl/482077
	- web: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
	cve_metadata:
	id: CVE-2023-24536
	cwe: 'CWE-400: Uncontrolled Resource Consumption'