CVE-2023-24536: Excessive resource consumption in net/http, net/textproto and mime/multipart
First published: Tue Apr 04 2023(Updated: )
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
Credit: security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | <1.19.8 | |
| Golang Go | >=1.20.0<1.20.3 |
Remedy
Remedy
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-24536?
CVE-2023-24536 is a vulnerability that allows for consuming large amounts of CPU and memory during multipart form parsing.
What is the severity of CVE-2023-24536?
CVE-2023-24536 has a severity rating of 7.5 (High).
How does CVE-2023-24536 affect the affected software?
CVE-2023-24536 affects the affected software by causing excessive consumption of CPU and memory when processing multipart form inputs with a large number of parts.
How can I fix CVE-2023-24536?
To fix CVE-2023-24536, update the affected software to version 1.20.3 (for Red Hat's golang package) or version 1.19.8 (for Golang Go).
Where can I find more information about CVE-2023-24536?
You can find more information about CVE-2023-24536 at the following references: [Reference 1](https://go.dev/cl/482075), [Reference 2](https://go.dev/cl/482076), [Reference 3](https://go.dev/cl/482077).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/mitre-cve
- collector/nvd-api
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-24536
- agent/software-canonical-lookup
- vendor/golang
- canonical/golang go
- version/golang go/1.20.0
- package-manager/redhat