Klajok

**Name of the Vulnerable Software and Affected Versions** iskorotkov/avro versions prior to 2.33.0 github.com/hamba/avro/v2 versions prior to 2.32.0 **Description** Several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized `int` before bounds-checking or summed them using overflow-prone signed-int arithmetic. On 32-bit targets, these truncation paths can bypass byte-slice limits, select the wrong union branch, or cause a panic during OCF block reads. Additionally, three issues affect all platforms: cumulative-size arithmetic overflow in `arrayDecoder.Decode()`, `mapDecoder.Decode()`, and `mapDecoderUnmarshaler.Decode()` (which can bypass `MaxSliceAllocSize` and `MaxMapAllocSize`), `math.MinInt` negation in block-header handling, and negative size allocation in `make([]byte, size)` during OCF block reads. These flaws provide an attacker with a denial-of-service primitive via an untrusted Avro stream. **Recommendations** Update iskorotkov/avro to version 2.33.0 or later. Migrate from github.com/hamba/avro/v2 to iskorotkov/avro version 2.33.0 or later. As a temporary mitigation, avoid decoding untrusted Avro data. Restrict access to the `arrayDecoder.Decode()`, `mapDecoder.Decode()`, and `mapDecoderUnmarshaler.Decode()` functions when processing untrusted input.

**Name of the Vulnerable Software and Affected Versions** iskorotkov/avro versions prior to 2.33.0 github.com/hamba/avro/v2 versions prior to 2.32.0 **Description** Remote, unauthenticated denial-of-service occurs due to CPU exhaustion in the Avro array and map decoders. The issue arises because the decoders loop over an attacker-controlled block-count value without checking the underlying reader's error state within the loop body. On amd64 and arm64 targets, the `Reader.ReadBlockHeader` function returns the count as a 64-bit `int`, allowing a producer to declare a block of up to `math.MaxInt64` elements. If the payload is truncated or ends with EOF, the decoder continues to perform no-op iterations until the loop completes, effectively pinning a CPU core until the process is terminated, deadline-cancelled, or OOM-killed. Technical details involve the following vulnerable functions: - `sliceSkipDecoder.Decode()` - `mapSkipDecoder.Decode()` - `Reader.ReadArrayCB()` - `Reader.ReadMapCB()` **Recommendations** For iskorotkov/avro versions prior to 2.33.0, update to version 2.33.0 or later. For github.com/hamba/avro/v2 versions prior to 2.32.0, migrate to iskorotkov/avro version 2.33.0 or later. To provide defense-in-depth against oversized payloads, configure `Config.MaxByteSliceSize`, `Config.MaxSliceAllocSize`, and `Config.MaxMapAllocSize` to set explicit allocation caps.