First published: Tue Apr 04 2023(Updated: )
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
Credit: security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | <1.19.8 | |
Golang Go | >=1.20.0<1.20.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-24536 is a vulnerability that allows for consuming large amounts of CPU and memory during multipart form parsing.
CVE-2023-24536 has a severity rating of 7.5 (High).
CVE-2023-24536 affects the affected software by causing excessive consumption of CPU and memory when processing multipart form inputs with a large number of parts.
To fix CVE-2023-24536, update the affected software to version 1.20.3 (for Red Hat's golang package) or version 1.19.8 (for Golang Go).
You can find more information about CVE-2023-24536 at the following references: [Reference 1](https://go.dev/cl/482075), [Reference 2](https://go.dev/cl/482076), [Reference 3](https://go.dev/cl/482077).