Arbitrary Code Execution Affecting github.com/cloudflare/golz4 package, versions <0.0.0-20150217214814-ef862a3cdc58


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.31% (54th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMCLOUDFLAREGOLZ4-50050
  • published1 Oct 2017
  • disclosed11 Jul 2014
  • creditDon A. Bailey

Introduced: 11 Jul 2014

CVE-2014-125026  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade github.com/cloudflare/golz4 to version 0.0.0-20150217214814-ef862a3cdc58 or higher.

Overview

github.com/cloudflare/golz4 is a Golang interface to LZ4 compression.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Vulnerable versions of the library used the obsolete native LZ4_uncompress() function possibly leading to memory corruption resulting in arbitrary code execution in case of successful exploitation. The fix made sure to use the safe version of the function called LZ4_decompress_safe().

CVSS Base Scores

version 3.1