Phisco

**Name of the Vulnerable Software and Affected Versions** crossplane-runtime versions prior to 0.16.1 crossplane-runtime versions prior to 0.19.2 **Description** An out of memory panic issue has been discovered in crossplane-runtime, a set of Go libraries used to build Kubernetes controllers in Crossplane and its related stacks. This issue affects applications that use the `Paved` type's `SetValue` method with user-provided input without proper validation, allowing excessive memory consumption and potentially causing an out of memory panic. The `Paved` type's `SetValue` method sets a value on the `Paved` object according to the provided path without validation, enabling the setting of values in slices at any provided index and growing the target array up to the requested index. The index is capped at max uint32 (4294967295), but this is still an unnecessarily large value. Applications not using the `Paved` type's `SetValue` method are not affected. **Recommendations** For versions prior to 0.16.1, upgrade to version 0.16.1 or later to resolve the issue. For versions prior to 0.19.2, upgrade to version 0.19.2 or later to resolve the issue. As a temporary workaround for users unable to upgrade, parse and validate the path before passing it to the `SetValue` method of the `Paved` type, constraining the index size as deemed appropriate.