Homepage
About Snyk

Uncontrolled Resource Consumption ('Resource Exhaustion') Affecting github.com/mostynb/go-grpc-compression/nonclobbering/zstd package, versions >=1.1.4 <1.2.3

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMOSTYNBGOGRPCCOMPRESSIONNONCLOBBERINGZSTD-7247336
  • published 12 Jun 2024
  • disclosed 10 Jun 2024
  • credit Miroslav Stampar
Report a new vulnerability Found a mistake?

Introduced: 10 Jun 2024

CVE NOT AVAILABLE CWE-400 Open this link in a new tab

How to fix?

Upgrade github.com/mostynb/go-grpc-compression/nonclobbering/zstd to version 1.2.3 or higher.

Overview

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the Decoder.DecodeAll function. An attacker can cause rapid memory usage increases by sending specially crafted gRPC requests.

Note: This is only exploitable if attackers can send gRPC payloads to users of the affected libraries.

Workaround

Other compression formats were not affected, users may consider switching from zstd to another format without upgrading to a newer release.

References

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
8.7 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    None
  • Integrity (VI)
    None
  • Availability (VA)
    High
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None