| id: GO-2023-1705 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.19.8 |
| - introduced: 1.20.0-0 |
| - fixed: 1.20.3 |
| vulnerable_at: 1.20.2 |
| packages: |
| - package: mime/multipart |
| symbols: |
| - Reader.readForm |
| - mimeHeaderSize |
| - newPart |
| - Part.populateHeaders |
| - Reader.NextPart |
| - Reader.NextRawPart |
| - Reader.nextPart |
| - readMIMEHeader |
| derived_symbols: |
| - Reader.ReadForm |
| - package: net/textproto |
| symbols: |
| - readMIMEHeader |
| derived_symbols: |
| - Reader.ReadMIMEHeader |
| summary: Excessive resource consumption in net/http, net/textproto and mime/multipart |
| description: |- |
| Multipart form parsing can consume large amounts of CPU and memory when |
| processing form inputs containing very large numbers of parts. |
| |
| This stems from several causes: |
| |
| 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart |
| form can consume. ReadForm can undercount the amount of memory consumed, leading |
| it to accept larger inputs than intended. |
| 2. Limiting total memory does not account for increased pressure on the garbage |
| collector from large numbers of small allocations in forms with many parts. |
| 3. ReadForm can allocate a large number of short-lived buffers, further |
| increasing pressure on the garbage collector. |
| |
| The combination of these factors can permit an attacker to cause an program that |
| parses multipart forms to consume large amounts of CPU and memory, potentially |
| resulting in a denial of service. This affects programs that use |
| mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package |
| with the Request methods FormFile, FormValue, ParseMultipartForm, and |
| PostFormValue. |
| |
| With fix, ReadForm now does a better job of estimating the memory consumption of |
| parsed forms, and performs many fewer short-lived allocations. |
| |
| In addition, the fixed mime/multipart.Reader imposes the following limits on the |
| size of parsed forms: |
| |
| 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit |
| may be adjusted with the environment variable GODEBUG=multipartmaxparts=. |
| 2. Form parts parsed with NextPart and NextRawPart may contain no more than |
| 10,000 header fields. In addition, forms parsed with ReadForm may contain no |
| more than 10,000 header fields across all parts. This limit may be adjusted with |
| the environment variable GODEBUG=multipartmaxheaders=. |
| credits: |
| - Jakob Ackermann (@das7pad) |
| references: |
| - report: https://go.dev/issue/59153 |
| - fix: https://go.dev/cl/482076 |
| - fix: https://go.dev/cl/482075 |
| - fix: https://go.dev/cl/482077 |
| - web: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 |
| cve_metadata: |
| id: CVE-2023-24536 |
| cwe: 'CWE-400: Uncontrolled Resource Consumption' |
| references: |
| - https://security.netapp.com/advisory/ntap-20230526-0007/ |
| - https://security.gentoo.org/glsa/202311-09 |
| review_status: REVIEWED |