Excessive Iteration Affecting golang.org/x/image/tiff package, versions <0.10.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.15% (52nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GOLANGORGXIMAGETIFF-5816821
  • published3 Aug 2023
  • disclosed2 Aug 2023
  • creditPhilippe Antoine

Introduced: 2 Aug 2023

CVE-2023-29407  (opens in a new tab)
CWE-834  (opens in a new tab)

How to fix?

Upgrade golang.org/x/image/tiff to version 0.10.0 or higher.

Overview

Affected versions of this package are vulnerable to Excessive Iteration in the Decode() and DecodeConfig() functions. A malicious image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.

CVSS Scores

version 3.1