Skip to content

encoding/gob: stack exhaustion in Decoder.Decode #53615

New issue
New issue
Closed
Closed
encoding/gob: stack exhaustion in Decoder.Decode#53615
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.19
@tatianab

Description

@tatianab
tatianab
opened on Jun 29, 2022

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

This is CVE-2022-30635.

(This was a PRIVATE issue tracked in http://b/231318421 and fixed by http://tg/1484771.)

/cc https://github.com/orgs/golang/teams/security and https://github.com/orgs/golang/teams/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    Release Blockers

    Status

    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions