CVE-2023-37475

Name of the Vulnerable Software and Affected Versions github.com/hamba/avro versions prior to 2.13.0

Description A well-crafted string passed to avro's github.com/hamba/avro/v2.Unmarshal() can throw a fatal error: runtime: out of memory which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to Unmarshal() to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash.

Recommendations To resolve the issue, upgrade to version 2.13.0 or later. As a temporary workaround, consider restricting the use of the Unmarshal() function to trusted input only, until a patch is available. Avoid using the Unmarshal() function with untrusted input to minimize the risk of exploitation.