| modules: |
| - module: std |
| versions: |
| - fixed: 1.19.8 |
| - introduced: 1.20.0-0 |
| fixed: 1.20.3 |
| vulnerable_at: 1.20.2 |
| packages: |
| - package: mime/multipart |
| symbols: |
| - Reader.readForm |
| - mimeHeaderSize |
| - newPart |
| - Part.populateHeaders |
| - Reader.NextPart |
| - Reader.NextRawPart |
| - Reader.nextPart |
| - readMIMEHeader |
| derived_symbols: |
| - Reader.ReadForm |
| - package: net/textproto |
| symbols: |
| - readMIMEHeader |
| derived_symbols: |
| - Reader.ReadMIMEHeader |
| summary: | |
| Excessive resource consumption in net/http, net/textproto and mime/multipart |
| description: | |
| Multipart form parsing can consume large amounts of CPU and memory when |
| processing form inputs containing very large numbers of parts. |
| |
| This stems from several causes: |
| |
| 1. mime/multipart.Reader.ReadForm limits the total memory a parsed |
| multipart form can consume. ReadForm can undercount the amount of memory |
| consumed, leading it to accept larger inputs than intended. |
| |
| 2. Limiting total memory does not account for increased pressure on the |
| garbage collector from large numbers of small allocations in forms with |
| many parts. |
| |
| 3. ReadForm can allocate a large number of short-lived buffers, further |
| increasing pressure on the garbage collector. |
| |
| The combination of these factors can permit an attacker to cause an program |
| that parses multipart forms to consume large amounts of CPU and memory, |
| potentially resulting in a denial of service. This affects programs that |
| use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http |
| package with the Request methods FormFile, FormValue, ParseMultipartForm, |
| and PostFormValue. |
| |
| With fix, ReadForm now does a better job of estimating the memory |
| consumption of parsed forms, and performs many fewer short-lived |
| allocations. |
| |
| In addition, the fixed mime/multipart.Reader imposes the following limits |
| on the size of parsed forms: |
| |
| 1. Forms parsed with ReadForm may contain no more than 1000 parts. This |
| limit may be adjusted with the environment variable |
| GODEBUG=multipartmaxparts=. |
| |
| 2. Form parts parsed with NextPart and NextRawPart may contain no more than |
| 10,000 header fields. In addition, forms parsed with ReadForm may contain |
| no more than 10,000 header fields across all parts. This limit may be |
| adjusted with the environment variable GODEBUG=multipartmaxheaders=. |
| credits: |
| - Jakob Ackermann (@das7pad) |
| references: |
| - report: https://go.dev/issue/59153 |
| - fix: https://go.dev/cl/482076 |
| - fix: https://go.dev/cl/482075 |
| - fix: https://go.dev/cl/482077 |
| - web: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 |
| cve_metadata: |
| id: CVE-2023-24536 |
| cwe: 'CWE-400: Uncontrolled Resource Consumption' |