CVE-2022-41725

Name of the Vulnerable Software and Affected Versions GoLang net/http and mime/multipart (affected versions not specified)

Description A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With the fix, ReadForm now properly accounts for various forms of memory overhead and creates at most one on-disk temporary file, combining multiple form parts into a single temporary file.

Recommendations To resolve the issue, users should update their GoLang net/http and mime/multipart packages to the latest version. As a temporary workaround, consider using the environment variable GODEBUG=multipartfiles=distinct to reenable the previous behavior of using distinct files for each form part. Restrict access to the mime/multipart.Reader.ReadForm function to minimize the risk of exploitation. Callers can limit the size of form data with http.MaxBytesReader. At the moment, there is no information about a newer version that contains a fix for this vulnerability.