data/reports/GO-2021-0347.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.16.15
       - introduced: 1.17.0
         fixed: 1.17.8
     vulnerable_at: 1.17.7
     packages:
       - package: regexp
         symbols:
           - regexp.Compile
         skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
 description: |
     On 64-bit platforms, an extremely deeply nested expression can
     cause regexp.Compile to cause goroutine stack exhaustion, forcing
     the program to exit. Note this applies to very large expressions,
     on the order of 2MB.
 published: 2022-05-23T22:15:47Z
 cves:
   - CVE-2022-24921
 credit: Juho Nurminen
 references:
   - fix: https://go.dev/cl/384616
   - fix: https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
   - report: https://go.dev/issue/51112
   - web: https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
	modules:
	- module: std
	versions:
	- fixed: 1.16.15
	- introduced: 1.17.0
	fixed: 1.17.8
	vulnerable_at: 1.17.7
	packages:
	- package: regexp
	symbols:
	- regexp.Compile
	skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
	description: \|
	On 64-bit platforms, an extremely deeply nested expression can
	cause regexp.Compile to cause goroutine stack exhaustion, forcing
	the program to exit. Note this applies to very large expressions,
	on the order of 2MB.
	published: 2022-05-23T22:15:47Z
	cves:
	- CVE-2022-24921
	credit: Juho Nurminen
	references:
	- fix: https://go.dev/cl/384616
	- fix: https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
	- report: https://go.dev/issue/51112
	- web: https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk