CVE-2021-23351

Name of the Vulnerable Software and Affected Versions github.com/pires/go-proxyproto versions prior to 0.5.0

Description The issue concerns a Denial of Service (DoS) vulnerability via the parseVersion1() function. The reader in the package is a default bufio.Reader wrapping a net.Conn, which reads from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging. The risk is small because only trusted sources should be allowed to send proxy protocol headers.

Recommendations For versions prior to 0.5.0, update to version 0.5.0 or later to resolve the issue. As a temporary workaround, consider implementing limits on the bufio.Reader to prevent excessive memory usage. Restrict access to the parseVersion1() function to minimize the risk of exploitation. Avoid using the package with untrusted sources to send proxy protocol headers.