Iestyn Elfick

**Name of the Vulnerable Software and Affected Versions** github.com/pires/go-proxyproto versions prior to 0.5.0 **Description** The issue concerns a Denial of Service (DoS) vulnerability via the `parseVersion1()` function. The reader in the package is a default `bufio.Reader` wrapping a `net.Conn`, which reads from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging. The risk is small because only trusted sources should be allowed to send proxy protocol headers. **Recommendations** For versions prior to 0.5.0, update to version 0.5.0 or later to resolve the issue. As a temporary workaround, consider implementing limits on the `bufio.Reader` to prevent excessive memory usage. Restrict access to the `parseVersion1()` function to minimize the risk of exploitation. Avoid using the package with untrusted sources to send proxy protocol headers.