Alexvasiluta

**Name of the Vulnerable Software and Affected Versions** gorilla/schema versions prior to 1.4.1 **Description** The issue concerns a memory exhaustion vulnerability in gorilla/schema. When `schema.Decoder.Decode()` is run on a struct that has a field of type `[]struct{...}`, it opens up the possibility of malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. For instance, an attacker can specify a field of a large index in an array, causing the allocation of all preceding elements in the slice, which can lead to memory exhaustion. This can be exploited through API endpoints, such as `/innocent endpoint?arr.10000000.X=1`, where `arr` is an array of structs. **Recommendations** For versions prior to 1.4.1, update to version 1.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to API endpoints that use `schema.Decoder.Decode()` on structs with arrays of other structs to minimize the risk of exploitation. Avoid using `schema.Decoder.Decode()` on structs with arrays of other structs until the issue is resolved.