Arpad Ryszka

**Name of the Vulnerable Software and Affected Versions** GoLang net/http and mime/multipart (affected versions not specified) **Description** A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with `mime/multipart.Reader.ReadForm` can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods `FormFile`, `FormValue`, `ParseMultipartForm`, and `PostFormValue`. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, `ReadForm` did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, `ReadForm` contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With the fix, `ReadForm` now properly accounts for various forms of memory overhead and creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. **Recommendations** To resolve the issue, users should update their GoLang net/http and mime/multipart packages to the latest version. As a temporary workaround, consider using the environment variable `GODEBUG=multipartfiles=distinct` to reenable the previous behavior of using distinct files for each form part. Restrict access to the `mime/multipart.Reader.ReadForm` function to minimize the risk of exploitation. Callers can limit the size of form data with `http.MaxBytesReader`. At the moment, there is no information about a newer version that contains a fix for this vulnerability.