Synchronous Access of Remote Resource without Timeout Affecting github.com/hashicorp/yamux package, versions >=0.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMHASHICORPYAMUX-8664941
- published31 Jan 2025
- disclosed29 Jan 2025
- creditUnknown
Introduced: 29 Jan 2025
New CVE NOT AVAILABLE CWE-1088 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
There is no fixed version for github.com/hashicorp/yamux.
Overview
Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout resulting in a deadlock condition, due to the default setting of Session.config.KeepAliveInterval to 30 seconds and Session.config.ConnectionWriteTimeout to 10 seconds. If a Session.sendCh object is full then new Stream.Write requests sent before the keepalive interval has ended will return an ErrConnectionWriteTimeout but leave the Stream.Read hanging. This renders the Session or Stream unresponsive to all subsequent requests.