Sam Whited

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.15.9 Go versions 1.16.x prior to 1.16.1 Description: The issue arises when a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element, potentially causing an infinite loop in the Decode, DecodeElement, or Skip method of an xml.Decoder. This can occur when operating on a custom xml.TokenReader. Recommendations: For Go versions prior to 1.15.9, update to version 1.15.9 or later to resolve the issue. For Go versions 1.16.x prior to 1.16.1, update to version 1.16.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom TokenReaders that may return EOF in the middle of an element until a patch is applied.