CVE-2022-41716

Name of the Vulnerable Software and Affected Versions Go versions prior to the fixed version

Description The issue is related to unsanitized NUL values in environment variables on Windows. Attackers may exploit this behavior to set arbitrary environment variables. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value, such as the string "A=Bx00C=D", can set the variables "A=B" and "C=D". This can be achieved by exploiting the lack of proper checking for invalid environment variable values.

Recommendations For Go versions prior to the fixed version, update to a version that includes the fix for the unsanitized NUL values in environment variables. As a temporary workaround, consider disabling the use of syscall.StartProcess and os/exec.Cmd until a patch is available. Restrict access to environment variables to minimize the risk of exploitation. Avoid using environment variable values containing NUL values in the affected API endpoints until the issue is resolved.